If you have 25Mbps and a throttle to 1-2Mbps it's mostly packetloss (line, nic, driver etc) and a suboptimal windows size. Packetloss would also slow down IPSec, so I'd go for problems on the line or the nic.
Can you try MSS to 1000 on IPSEC or LAN interface?
I only use the router/modems from Zyxel in bridge mode, perhaps they have some sort or IPSEC replay detection which is enabled?
MTU should be higher than MSS. Try 1200 MTU and 1000 MSS.
Also show a complete capture (first 5 seconds but wth 3way handshake) inside the tunnel.
00:02:42.558779 rule 1..16777216/0(match): block out on enc0: HTTP_SERVER.443 > HTTP_CLIENT.58101: Flags [P.], seq 3004363110:3004363875, ack 423027980, win 1264, length 76500:00:00.000056 rule 1..16777216/0(match): block out on enc0: HTTP_SERVER.443 > HTTP_CLIENT.58101: Flags [F.], seq 765, ack 1, win 1264, length 000:00:00.093263 rule 1..16777216/0(match): block out on enc0: HTTP_SERVER.443 > HTTP_CLIENT.58101: Flags [F.], seq 765, ack 1, win 1264, length 000:00:00.247810 rule 1..16777216/0(match): block out on enc0: HTTP_SERVER.443 > HTTP_CLIENT.58101: Flags [FP.], seq 0:765, ack 1, win 1264, length 76500:00:00.248096 rule 1..16777216/0(match): block out on enc0: HTTP_SERVER.443 > HTTP_CLIENT.58101: Flags [FP.], seq 0:765, ack 1, win 1264, length 76500:00:00.247992 rule 1..16777216/0(match): block out on enc0: HTTP_SERVER.443 > HTTP_CLIENT.58101: Flags [FP.], seq 0:765, ack 1, win 1264, length 76500:00:00.247945 rule 1..16777216/0(match): block out on enc0: HTTP_SERVER.443 > HTTP_CLIENT.58101: Flags [FP.], seq 0:765, ack 1, win 1264, length 76500:00:00.248026 rule 1..16777216/0(match): block out on enc0: HTTP_SERVER.443 > HTTP_CLIENT.58101: Flags [FP.], seq 0:765, ack 1, win 1264, length 76500:00:00.247961 rule 1..16777216/0(match): block out on enc0: HTTP_SERVER.443 > HTTP_CLIENT.58101: Flags [FP.], seq 0:765, ack 1, win 1264, length 76500:00:00.248023 rule 1..16777216/0(match): block out on enc0: HTTP_SERVER.443 > HTTP_CLIENT.58101: Flags [FP.], seq 0:765, ack 1, win 1264, length 765
Do you use some QoS outside of the tunnel to guarantee traffic to IPSEC? Then the reordering could also throttle the tunnel.
In the 3way handshake the MSS is still 1460, so your setting doesn't work.Also the windows size of 256 is way too small .. it should grow to 64kb when there's no loss.
A pcap file (you know my private Mail) would be better to trace.
The problem is that ESP is not TCP, so on the WAN side it wont be reduced since it don't sees any TCP packets.
10:42:25.923159 IP GOOD_OPNSENSE.4500 > BAD_OPNSENSE.4500: UDP-encap: ESP(spi=0xc63f6a01,seq=0x6ea), length 10410:42:25.923444 IP BAD_OPNSENSE.4500 > GOOD_OPNSENSE.4500: UDP-encap: ESP(spi=0xce9f75ee,seq=0xe95), length 24810:42:25.923812 IP BAD_OPNSENSE.4500 > GOOD_OPNSENSE.4500: UDP-encap: ESP(spi=0xce9f75ee,seq=0xe96), length 37610:42:25.924155 IP BAD_OPNSENSE.4500 > GOOD_OPNSENSE.4500: UDP-encap: ESP(spi=0xce9f75ee,seq=0xe97), length 376
But I'm quite sure it's something with the line because the window size is really too small.
Has anyone achieved higher performance ? What is the limiting factor for the poor performance ? I would assume the more cores a cpu has, the higher the throughput. The cpu load on the dashboard shows only 15%