Endpoint Security VPN network performance

jakmic · ‎2023-04-28

Hello,

We have problem with data transfer performance via VPN in our lab environment.

Topology:

Cluster of 2 VM Gateways

Windows VPN client

MacOS ssh server

When we are transferring data over LAN (between two networks) speed of 3GB file transfer is some about 200Mbps

When we are transferring data over VPN speed of 3GB file transfer is some about 20Mbps (WinSCP)

Lab environment hasn't any performance problems (CPU of active gateway is about 5%)

WAN network is 1Gbps/1Gbps on every site.

ESP: AES-256 + SHA256 (we tried lower security algorithms, but nothing changes)

Scheme: IKE

How can we increase VPN network performance

Ruan_Kotze · ‎2023-04-28

There's a couple of unknowns here - but sk105119 would be your best starting point.

Also make sure AES-NI is enabled on the processor level (since you're running OpenServer / VM) otherwise AES-256 will not be accelerated.

Thanks,
Ruan

jakmic · ‎2023-05-04

I neet to check, because VM is running on our Data Center solution - For now, I don't know hardware specification on backend

jakmic · ‎2023-05-04

Yes, there is AES flag recognized by Checkpoint VM

Chris_Atkinson · ‎2023-04-28

Which client version are you using E86.60 or higher?

(Client side AES-NI support was introduced here)

CCSM R77/R80/ELITE

jakmic · ‎2023-05-04

E86.50

PhoneBoy · ‎2023-04-28

What version of gateway?
Cores/memory allocation for the VM?
R81.20 might have better performance in this regard due to some internal changes.

jakmic · ‎2023-05-04

2 Cores, Memory 4GB

R81.10 JB Take 87

AndreiR · ‎2023-05-04

Hi @jakmic ,

Take the latest version E87.20. It has multiple improvements comparing to E86.50:

It has AES-NI support on client side
It has new and improved VPN driver
It has experimental flag which may also help:
In the registry set the following value:
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\CheckPoint\TRAC]
"disable_threaded_ipsec"=dword:00000000

Besides that make sure logging level in the client is set to Basic. Extended mode significantly consumes performance.

I'm not sure 2 Cores + 4Gb RAM is sufficient for R81.10 gateway. Which hardware do you use for VPN client? There more powerful device you use for testing the higher performance you should get.

PhoneBoy · ‎2023-05-04

Those are bare minimum system requirements for a gateway.
You'll definitely want to allocate additional cores and RAM if performance is a concern.

jakmic · ‎2023-05-09

For Test environment and one VPN user I think is enough 🙂

I went by your proposition and check load on gateway and client computer

During transfer GW had some about 64% in peaks and average 20% , but our client site had 100% (i5-5300U)

On newer Endpoint VPN Client (E87.20) we received 50% faster transfer (30-35Mbps) so @AndreiR thank you 🙂

We took newer client hardware (i7-12700H) and tried again - now transfers are optimistic - some about 320Mbps (10x more) - CPU load about 20-23% during transfer

Now I have a question, there is any solution to optimize client Endpoint Security VPN on older hardware?

From another side, when you go to https://www.checkpoint.com/quantum/remote-access-vpn/#downloads (look like main point to download client) you will receive older version (E86.50_CheckPointVPN.msi)

Chris_Atkinson · ‎2023-05-09

Trying different encryption algorithms might be at the expense of security.

I've asked internally for the website links sighted above to be updated.

CCSM R77/R80/ELITE

PhoneBoy · ‎2023-05-10

The E87.xx releases do not have a "recommended" release yet, which is probably why it's not linked directly from checkpoint.com

PhoneBoy · ‎2023-05-09

In terms of optimizing performance on older computers, there's not much that can be done at this time.

Are you a member of CheckMates?

Endpoint Security VPN network performance