Ipsec throughput poor

[ccesario]

Hi folks,

Im facing this behavior with 21.1, 21. 7  and now with 22.1 Series.
I have two OPNSense routers with the same version - 22.1-amd64

1-  Branch office
     vmx0 - Lan interface - 172.20.0.0/24
     vmx1 - Wan Interface - 1.1.1.1

2 - Head office
     vmx0 - Lan interface - 172.50.0.0/24
     vmx1 - Wan Interface - 2.2.2.2


Each one has the same config and are running over Esxi.
When I do transfer files (SCP, CIFS, HTTP) over Ipsec Tunnel - Between networks - 172.50.0.0/24 and 172.20.0.0/24 the network throughput does not pass over 30Mbps.

When I try transfer files From Head office LAN 172.50.0.0/24 to Brach office  1.1.1.1  over WAN interface (Port forward) I got 90Mbps of throughput. The same happen fram Lan Branch office to Head office over WAN.


Could someone has idea about solve it ?

These options already disabled in both devices.
Hardware CRC
Hardware TSO
Hardware LRO
VLAN Hardware Filtering



Best regards

[Cerberus]

It maybe an issue with MTU and MSS Size, there are some posts in this forum about performance issues and ipsec, worth a try.

[ccesario]

Hi @Cerberus,
Thank you by tip.

But, is there any documentation about it ? Or reference!?

Regards
Carlos

[8191]

Try to enforce a max. MSS value on the IPSec interface using a normalization rule in Firewall > Advanced > Normalization. See an example attached.

http://cloud.tapatalk.com/s/620558dfc945d/Safari%20-%2010.02.2022%20at%2019%3A24.pdf

[ccesario]

Hello Dear 8191

Thank you by your tip,I will try enable it and test and report here.

regards
Carlos

[ccesario]

Hi folks, thank you by tips

The procedure http://cloud.tapatalk.com/s/620558dfc945d/Safari%20-%2010.02.2022%20at%2019%3A24.pdf it works as expected!!

Regards
Carlos

[Adam.P]

I'm having the same problem and tried this fix on both ends with no change. IPsec still maxes out around 30mbit. Did you have to do anything else to resolve this?