01-22-2015 02:55 AM - edited 02-21-2020 08:01 PM
Hi. I have IPSec site-to-site VPN between 2 Cisco 2911 SEC/K9 (C2900-UNIVERSALK9-M, Version 15.3(3)M2). They are connected via leased FO channel, so I can ping each side using ordinary routing too. The throughput without encryption is 92-94 mbps, but when i enable VPN tunnel it decreases to 50-60 mbps.(I'm using jperf to measure bandwith) Regarding cisco official datasheet - maximum throughput for IPSec encryption for 2911 SEC/K9 is 85 mbps. At my previous workplace the same routers provided real 80 mbps, but now something is going wrong.
here is a piece of config
crypto isakmp policy 10
encr aes 256
hash sha256
authentication pre-share
group 2
!
crypto ipsec transform-set VPN_TRANSFORM esp-aes 256 esp-sha256-hmac
mode tunnel
I used various types of encryption and hashing too, but got the same 50-60 mbps. What could be the reason of this problem? Should i use GRE over IPSec instead of odinary IPSec VPN?
Thank you in advance
01-23-2015 03:11 AM
The most common causes for performance problems in IPv4 are:
- packet loss
- latency
- fragmentation
Are you seeing packet loss? is the latency as it was with other setup? is the any fragmentation either on encrypted or plaintext side?
Are the IPsec flows handled in software or hardware (onboard chip I'd assume?).
M.
01-26-2015 03:03 AM
Hi. There is no any packet loss and latency is ok (1-2 ms). Fragmentation isn't used.
I think Ipsec flows handled in hardware due to sh inv output : "C2911 Mother board 3GE, integrated VPN and 4W on Slot 0"
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide