Slow IPSEC VPN tunnel speed - CML

brianmiller · ‎08-10-2023

I have a home router that is incapable of running a VPN so I've been experimenting with different software solutions to get around this for my home network. Basically, I want to utilize this router for transport, but have another router (virtual) connected to my VPN and routing through that tunnel. I've tested it with a Linux VM and using iptables which worked decently, but ran into issues with it disconnecting and having to restart the VM. I tested it using a Windows Server VM running the Routing and Remote Access to NAT through the OpenVPN NIC, but the speed there was much slower than Linux. Now I'm trying it using a CML lab VM with these configs:

Current configuration : 7389 bytes
!
! Last configuration change at 15:23:58 UTC Thu Aug 10 2023
!
version 15.9
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CML-NordVPN-R1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
!
!
!
ip dhcp excluded-address 192.168.0.1 192.168.0.127
!
ip dhcp pool LOCAL
 network 192.168.0.0 255.255.255.0
 default-router 192.168.0.127 
 dns-server 8.8.8.8 8.8.4.4 
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!         
!
!
crypto pki trustpoint NORDVPN
 enrollment terminal pem
 revocation-check none
!
!
crypto pki certificate chain NORDVPN
 certificate ca 01
  3082050A 308202F2 A0030201 02020101 300D0609 2A864886 F70D0101 0D050030 
  39310B30 09060355 04061302 50413110 300E0603 55040A13 074E6F72 6456504E 
  31183016 06035504 03130F4E 6F726456 504E2052 6F6F7420 4341301E 170D3136 
  30313031 30303030 30305A17 0D333531 32333132 33353935 395A3039 310B3009 
  06035504 06130250 41311030 0E060355 040A1307 4E6F7264 56504E31 18301606 
  03550403 130F4E6F 72645650 4E20526F 6F742043 41308202 22300D06 092A8648 
  86F70D01 01010500 0382020F 00308202 0A028202 0100C92B FC1621CA 8D05DAEA 
  6C20C5F0 0BA42F91 9A6CDCD3 76FDE405 91F4084B 582A9746 9E8EC2AC 127998D0 
  A6A89FCB 990935CF B111F581 03608390 F6822C5D 77598952 F577744D F2F4526B 
  5CCA0391 7742181A 1DBCA272 53A95C7C 4545EBF5 311DC6C1 82E64AF5 4B511D2F 
  5E2589B7 AE92FFE6 1B90302A 695FB914 790F1DA4 2C1DDE22 884EAC1D D59B9D0E 
  AB16694D 2FAB30B6 1F9E48C9 A67FE7F4 E70A4DF5 43550FE8 192C6DBB 91730395 
  B24103B2 6E98A160 E79FF208 CC63989C 5251CD01 F98D3CF7 8F5401BD 122E42E0 
  6EBD491F 871D4513 08706628 2B7315EE 30FF9080 CE7891EC E0CE2254 69970E33 
  6CC5DE5B EBC0CBD7 0CC7CD78 8A09001B FD963C3D EBDC50F1 CCD0094E 65315980 
  DFB96DBF 911CF54E 6166EC24 FFD40ED5 9F9DFEBE 89C749A5 BAB4BC82 70802898 
  306B7932 670E9EE0 567C9982 F8BE9451 84F76F45 35823099 1E078C81 1F287152 
  64D18091 E6E98477 0FA85C14 073D7107 13125FC8 EB4B4C77 3DF71BA9 B43B8DAC 
  42DFFE01 1DD8098F D1BAC595 04907FA8 D4BDE04B 4DB63F22 69E6C241 6D631C08 
  6F1A6148 2D547D97 30F41335 8A1E4BF2 5848E651 54600837 7A35EDDE 151352EF 
  781DBFF0 B79796E8 63249EBB 87B19046 15C55467 F03842C6 CD0C9E43 075852BA 
  332CD708 29FE2675 850D83DF 0CA1EFA5 F7FF90B0 E86ED3C1 7FE2DB72 1E70432F 
  6AB98DBB C5A8F45F 02F28CE9 6DA62493 2D669EFD 0E2F0203 010001A3 1D301B30 
  0C060355 1D130405 30030101 FF300B06 03551D0F 04040302 0106300D 06092A86 
  4886F70D 01010D05 00038202 0100BD7D 42F6B193 F120DDA6 0F7D9578 DC924E06 
  65084755 9A5AB8EF 5A3F6C33 0FE01F20 9D07AC15 1B576366 428ECE74 266EF707 
  62D588BF 6A951126 23ABC4E4 80BC22C4 41252578 71ED5663 1C97AE8E 6B99583F 
  93A6B5D2 B96C6CAF DE83FFC6 1E82710D D5C33A89 0B5129F1 B7B824DD 02A95FA7 
  82761EBB A743EE5A 6FFB5942 50C47D92 0F1B13F6 F07F899A E24C811E FC82E839 
  017402AA 7B020342 70B70B02 66F15D09 17602092 077E55A7 4EAEF9E4 D68C6D3F 
  A724B957 5E2CB46B 70F9F034 0C9A7964 95787AA2 792EAC4C 958BC467 FA8A4C47 
  6809E697 BF640498 DE9D56A8 C3A13028 934B79BB 86115F31 1509F5C0 0B7A1CA6 
  535DB420 3BDB08C5 25C49B7E 27F80520 BC6C3002 4D7B673C 2EE70F45 677592E9 
  F9188D2D E8843619 34A130BE 51575273 E9F69C93 B39022B4 BD8BB401 DB382462 
  01EE0F08 077CF6B7 D2029AC5 AB82785D 35D70E7B 5E418A77 2B180F1A BD0D5C59 
  7B1F20A1 236EB9C4 B8493D6F 98DE97A3 5F1ED3CA A0773D98 3A5174D3 C849E55A 
  C0304CD6 62428677 87B79F4D 87C19A87 BE3E4CCD 6306CC38 7E124FBE 873B02D7 
  20EF8D09 12B6FDD3 89997E42 049A88C2 54F8411D 543D2C70 4074CF2A 148DA444 
  AD08CA73 A601985E C653FF69 3FE4A44B 043F2699 4259C19F 7027D424 73F21D12 
  3C0A4BF0 FCAD8206 0A790991 865E3DF7 EEA32F17 19D887A0 2DFAAAE3 5773223C 
  07C13329 960FB5A4 A20E5688 E958
        quit
!
redundancy
!
!
! 
!
crypto ikev2 proposal default
 encryption aes-cbc-256
 integrity sha256
 group 14
!
!
!
crypto ikev2 profile NORDVPN_IKEV2_PROFILE
 match identity remote any
 authentication remote rsa-sig
 authentication local eap mschapv2 username NORDVPNUSERNAME password NORDVPNPASSWORD
 pki trustpoint NORDVPN verify
!
!
!
crypto ipsec transform-set NORDVPN_TRANS esp-aes 256 esp-sha-hmac 
 mode tunnel
!
crypto ipsec profile NORDVPN_IPSEC_PROFILE
 set transform-set NORDVPN_TRANS 
 set ikev2-profile NORDVPN_IKEV2_PROFILE
!
!
!
!
!
!
!
interface Tunnel100
 ip address negotiated
 ip mtu 1400
 ip nat outside
 ip virtual-reassembly in
 ip tcp adjust-mss 1300
 tunnel source GigabitEthernet0/0
 tunnel mode ipsec ipv4
 tunnel destination 140.99.201.187
 tunnel protection ipsec profile NORDVPN_IPSEC_PROFILE
!
interface GigabitEthernet0/0
 description <== External Bridge Interface ==>
 ip address 192.168.0.127 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
 media-type rj45
!
interface GigabitEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
 media-type rj45
!
interface GigabitEthernet0/2
 no ip address
 shutdown
 duplex auto
 speed auto
 media-type rj45
!
interface GigabitEthernet0/3
 no ip address
 shutdown
 duplex auto
 speed auto
 media-type rj45
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip nat inside source list 4 interface Tunnel100 overload
ip route 0.0.0.0 0.0.0.0 Tunnel100
ip route 140.99.201.187 255.255.255.255 192.168.0.1
!
ipv6 ioam timestamp
!         
!
access-list 4 permit 192.168.0.0 0.0.0.255 log
!
control-plane
!
banner exec ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************^C
banner incoming ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************^C
banner login ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************^C
!
line con 0
line aux 0
line vty 0 4
 login
 transport input none
!
no scheduler allocate
!
end

This works perfectly. My home devices connect to the router via WiFi, pull DHCP from the virtual router, and route through the VPN. The only issue is my speed through that tunnel is insanely slow. My ISP speed in 200Mbps, but when routed through the VPN I'm only getting 1-2Mbps. Even running through the Windows server I was getting 20-30Mbps. I've tried messing around with the MTU and tcp adjust-mss but haven't seen any differences. Is there any way I can increase the speed here?

salvexzatmin · ‎08-10-2023

When encountering slow IPsec VPN tunnel speeds in Cisco Modeling Labs (CML), several factors can contribute to this issue, and it's essential to troubleshoot systematically. Here are some steps to consider:

Bandwidth Limitations: Ensure that the network connection on the CML host machine, as well as the resources allocated to the CML virtual environment, are not causing any bottlenecks.
VPN Configuration: Double-check the IPsec VPN configuration on both ends of the tunnel, including the encryption algorithms, authentication methods, and key exchange settings. Mismatched settings can significantly impact performance.
Network Latency: High network latency can lead to slow VPN speeds. Investigate the latency between the source and destination networks, as well as any intermediate hops. Optimize the network path where possible.
MTU (Maximum Transmission Unit): Incorrect MTU settings can cause fragmentation and impact performance. Ensure that the MTU settings are appropriate for the network environment.
Firewall and Security Devices: Check if any firewalls or security devices are impacting the VPN traffic. These devices might be inspecting or throttling the VPN traffic, leading to reduced speeds.
VPN Gateway Performance: Monitor the CPU and memory usage on the VPN gateways. Overloaded devices may struggle to process the VPN traffic efficiently.
Traffic Prioritization: If other network traffic competes with the VPN traffic, consider implementing Quality of Service (QoS) or traffic prioritization policies to ensure that the VPN traffic gets appropriate bandwidth.
Debugging and Logs: Use debugging and logging features provided by the networking equipment to identify potential issues. Look for error messages, dropped packets, or other anomalies.
Firmware and Software Updates: Ensure that the networking equipment, including routers and firewalls, have the latest firmware or software updates. Sometimes, performance issues are resolved in newer releases.
Network Topology: Review the overall network topology. If the VPN traffic goes through multiple hops or is routed through congested links, it can impact speed.

By methodically addressing each of these potential issues, you should be able to identify the root cause of the slow IPsec VPN tunnel speed in CML and take appropriate actions to improve the performance.