VPN

I've been trying to setup a site-to-site VPN using IPsec between two m0n0walls and regardless of what I do the connection is always slow and sporadic.

For testing purposes I've got one m0n0wall at my office and one at my house; both are served by the same local ISP and I've got 20/20 at the office and 8/8 at the house. If I setup PPTP and connect from either end I can get a full 8M sending or receiving so I know the bandwidth is available.

When I setup IPsec site to site things connect up just fine, but my speed is all over the place bouncing from ~100k to about 1.5M for data from the office to the house, but never more than that and watching the traffic graph on either end its very sporadic. What's really odd is data moving from the house to the office is also sporadic and bouncing all over the place, but it usually bounces around 5-8M so its much faster.

I've got allow fragmented IPsec packets checked and am using Blowfish for encryption. The m0n0wall at the office is running on an "old" dual core 2+ Ghz server and on a Soekris 5501 at the house. Neither show the CPU anywhere goes over 70% with anything I've thrown at them.

Anyone got any ideas?

1.5MB/s across an IPSEC on a 500mhz CPU is fairly decent performance. PPTP requires much less CPU power.

What are you using to benchmark the throughput?

I'm using the traffic graph in m0n0wall to gauge throughput. I've also got iSTAT NANO showing the same results on my MBP.

I don't think I'm processor limited (or at least not to a few hundred Kbps) because I've done a test with just a network switch between the two m0n0walls
(office LAN -> m0n0 on 2ghz server -> WAN switch -> m0n0 on Soekris -> test computer)
and when I do that I can get a solid 16+ Mbps between them using IPsec (screen shots attached).

I'd love to just blame the ISP, but even that doesn't pan out because I can get a full 8 Mbps sync without the IPsec going between the two sites so there's got to be something else I'm missing.

Note all my measurements are in bits/second not bytes/second just to keep things easily comparable.

I'll try to get some screen shots of the bandwidth graphs from the house a little later.

As promised attached are graphs from me trying this out with the Soekris box at my house on the 8/8 connection so the setup looks like this:
office LAN -> m0n0 on 2ghz server -> Office WAN switch -> ISP -> House WAN switch -> m0n0 on Soekris -> test computer

Anyone got any ideas? I can push 8M out from the house to the office, but I can't get over 1.5M from the office to the house...

Try first using the default HandBook recomendation
http://doc.m0n0.ch/handbook/ipsec-tunnels.html

Then make change to Blowfish.

When IpSec in on, disable PPTP

If exist a previous Mobile-vpn profile, disable it.

Both lan must be in different IP private familys. If keep use same family, then NAT 1-to-a is necesary and the traffic speed can down, because the packets can go over the Vpn
(there are several kinds of ways to build a effcicient same-family schema, but requires work)

I've tried the handbook recommendation with the same results. Also attempted disabling PPTP temporarily and it didn't change anything either (though I did re-enable PPTP because I use that for mobile clients). No mobile-profiles exist. Both LANs are on different subnets (10.1.1.0/24 & 10.1.3.0/24).

Any more ideas guys?