Hi!
I have two sites connected with IPsec in tunnel mode.
Site A: CCR1036 with 100/100 internet connection
Site B: RB3011 with 120/30 internet connection (LTE connection, so rtt is around 30ms)
The IPsec link is working, however there are some issues with the performance.
Using iperf3 on two PC's, one at each site, if I use 30 parallel connections I can saturate the 100 mbit link, and in reverse the 30 mbit, so that is good. If however I use only a single iperf connection, the best i can achieve is around 20mbit, but 15 is more realistic. This is a big problem, because there is only a single user at the remote site using a single FTP and/or SMB connection, and it is too slow to work with.
Looking at the datasheet of the devices i can see that the single tunnel ipsec performance is around 60 and 40 mbit/s respectively for 64byte packets, which is the worst case. My question is, why I am not hitting at least 40mbit then?
So far what I tried: aes-128-cbc, aes-128-ctr, camellia-128 (but even with software encryption, with 30 parallel connections maxing out the link, i only get around 45% cpu usage on the rb3011, even less on the ccr). I have checked mtu settings and mss clamping, there is no fragmentation as far as i can tell, and pmtud is not blocked.
Any recommendations? short of replacing the gear...