Best throughput performance on FVX538 and FVS318

[voyager]

Hi to everyone,

I implemented IPsec VPN tunnels between main office and our 3 branch offices.
I used Netgear FVX538V2 for main office and FVS318 V3 for branch offices. The performance of our ERP application (based on MS SQL 2005 in main office) from our branch offices is very poor.

I am wondering what VPN encryption protocol gives biggest Throughput becouse I thought that it is DES but I read some articles and maybe I have to try 3DES or AES.

What to choose for IKE and VPN policies regarding throughput performances on this equipment by your experience:

Encryption algorithm (DES, 3DES or AES)
Integrity algorithm (MD5 or SHA-1)
PFS Key Group (Group 1, Group 2 or Group 5)

Regards

 

[thiggins]

The higher the level of encryption, the lower the throughput, in general. So DES should provide the highest throughput.

 

[YeOldeStonecat]

It certainly varies from hardware to hardware, but anything purchased within the past...<quite a few years> should have a VPN accel chip which will be efficient for running AES. AES was designed to be more "efficient" on newer hardware. Not only will it be more secure (DES is old old old)..but you should have more throughput on "most" hardware....given roughly the same clock speed of the appliance.

Now granted you may come across some older or lower end VPN hardware that has chips which are designed to work better with DES.

I'm not familiar with Netgears VPN products. However, some other things I'd consider when doing a WAN implementation like this...
*Upload speed of the connection at the main office (mothership)...should be at least the sum of the uploads of the satellite offices combined. Example...if your 3 satellite offices have 1500/256 pipes...I'd want motherships internet pipe to have at least a 768 upload. That way the weakest link between mothership and each individual branch office is 256. Remember, with VPN tunnels the weakest link will dictate the base speed of the VPN tunnel. You don't want to have a 256 upload at mothership trying to divide out to 3x satellites.

*Many appliances that support site to site VPN tunnels will have a QoS features that secures a % of the avail bandwidth dedicated towards the VPN tunnel. This way stuff like sudden amounts of large e-mail, or office staff listening to online radio streaming...don't consume all your bandwidth and effectively turn the VPN pipes into less than dial up bandwidth. So following my bandwidth analogy say you have 768 upload..you can dedicate at least 512 of that to the VPN tunnels...giving only 256 of it to your motherships "other" use.

*Killing netbios in the tunnels...it's very chatty and will consume much of your VPN bandwidth. This can be tricky though, depending on your setup, as since you're running a SQL app through the tunnel, you need good name resolution via ODBC...so you'll have to have DNS setup well, and possibly (depending on the hardware used) may have to lean on old WINS.

Not knowing the size of your setup, how many users, what other services are running at your main site...you may want to consider a dedicated VPN box at least at the central office.

I don't know what your budget is, but I'll tell you...for brands of VPN hardware, after working with a few of them I've been the happiest with Juniper hardware...in terms of both performance, and their support (VERY good support, mid-US based)