1

Scenario:

  • We have a network link between two offices.
  • The link is provided by a third party company through a VLAN on their network, but to us it is totally transparent -as if we had a simple ethernet cable going from one location to the other-.
  • We have one router at each side of the link, with 3 VPN tunnels in between the two.

The test: programs used: LanSpeedTest with 100MB transfer setting. I also transferred a 2GB file with Teracopy and checked the average speed (and the result was the same of LanSpeedTest).

  • When I test the speed of the network link with the routers in place, with one laptop directly connected to the router on each side, I consistently get ~30/35Mbps.
  • But if I take out the routers and I test the link connecting the laptops directly to the ethernet cable at each side, I consistently get ~85/88Mbps.

It's quite a big performance hit, and I would tend to think that the VPN tunnels are responsible for the slow down.

Is it normal that this configuration (two routers with three VPN tunnels between them) takes away so much bandwidth?

More info:

  • The VPN type is IPSec and the encryption algorithm used is AES128.
  • The routers model is Zyxel USG200 and Zyxel USG1000, and their CPU, memory, and storage use is well within normal limits. ADP,IDP,antivirus,content filter and anti-spam are disabled on both routers.
  • The nominal bandwidth of the network link is 100Mbps.
  • The network link in question is supplied by a third party company (the building in between our two offices). Basically it passes through their network as a VLAN, but the VLAN is completely transparent to us (e.g. no configuration required on our side, just like one single cable from end to end).

Unfortunately (or maybe fortunately) I cannot directly test different routers configurations as I'm not the person in charge of it.

  • 1
    What kind of routers are they? Older ones may not cope so well with the overhead a VPN gives. – Nathan C Oct 22 '13 at 01:21
  • 1
    Is this an IPSec VPN, I presume? – EEAA Oct 22 '13 at 02:08
  • 3
    OK, I'll say it: The fact that you don't need the routers to establish connectivity between both offices tells me that the network transits a "private" network through the third party rather than being routed through the internet, so why do you want/need the VPN? – joeqwerty Oct 22 '13 at 03:28
  • 1
    The USG 200 is only rated for 40Mbps if AV/IDP are enabled. Check your settings. – Michael Hampton Oct 22 '13 at 05:17
  • @joeqwerty we use the encrypted VPNs exactly because the data transits through a third party network over which we have no control.. For what we know they might just want to spy on us :-) [however unlikely] –  Oct 22 '13 at 05:17
  • @NathanC they are Zyxel USG200 and USG1000, they are new, and from what I understand they are quite capable models. –  Oct 22 '13 at 05:20
  • @EEAA yes, IPSec VPN.. –  Oct 22 '13 at 05:21
  • @MichaelHampton ADP,IDP,antivirus,content filter and anti-spam are all disabled on both routers. –  Oct 22 '13 at 07:11
  • 1
    What sort of settings were you using to test the bandwidth? VPN encrypted packets have a smaller "payload" and that can cause fragmentation, and a rather inefficient usage of the bandwidth.. Remember, you also have the overhead of the VLAN reducing packet size (however minimal).. – NickW Oct 22 '13 at 08:22
  • @NickW I used a program called LanSpeedTest with the setting of 100MB transfer. I also used Teracopy to transfer a 2GB file and then I checked the average transfer speed. Finally, I checked the PING, and I constantly got <1ms withouth routers, and 2ms, 3ms with the routers. –  Oct 24 '13 at 05:23
  • @NickW the PING measurements above are taken in a moment without any other network activity. –  Oct 24 '13 at 05:30
  • 1
    Try testing the bandwidth over the VPN tunnel with iptraf using different packet sizes. Firewalls/vpn routers are limited by the packets per second, so you'll get this kind of performance if your applications use very small segment sizes. – pauska Oct 24 '13 at 07:06

0 Answers0