Hi Chris,

Thank you for the quick response.

1.  see attached screenshot of the VPN community with all encryiptions used (not sure which is which). I tried to embed the image, but got a message syaing invalid HTML found in teh message body. 

2. I have no clue what MSS clamping is. 🙂  can you tell me what this is and how to do it?

3.  I downloaded OpenSpeedTestServer (a web server that I put on a VM taht has a 25Gbps NIC on it) and then open the URL of that web server on the other side of the vpn tunnel in another site. in this case HQ hosting the vpn server (with 1Gbps link and the other is the Datacenter with 1Gbps on a physical sever in the web browser).  Not sure if this is using Multiple or single flow.  How can I find out?

Thank you! 

Thank you!  🙂  I'm seeing the encryption types might be the issue for me.  looking at the link you provided and the encryption combination I see in my config (screenshot attached).  it seems i have the worst combination for speed. 🙂  is my conclution correct?  

Also, If i choose to change it, will this interrupt the VPN Tunnels?  thanks for your gudiance, much appreciated.
 

Technically, it might interrupt the tunnel for few minutes, since it needs policy push and probably resetting the tunnel would not be a bad idea.

Other than that, I would not anticipate any issues.

Andy

Here is one IMPORTANT thing to remember...so, faster algorithms will NOT be as secure as slower ones, so please keep that in mind. We all know how important IT security is 🙂

Andy

Thank you!  Yes, I'm willing to take a bit more risk since we only deal with file/print and nothing includes PII data of any sort.

so Question: based on my screenshot, (attached)

If i change Phase 1 Data integrity from SHA256 to SHA1 (or MD5) and Diffie-hellman group from Group 14 to group 2 (1024-bit)

and 

in Phase 2, change Data integrity from SHA256 to Sha1 (or MD5) and Group 14 to Group 2 (1024-bit).

Will that work properly and still be secure to some extend? 

Thanks. 

It would be LESS secure, but in your case, I would give it a go.

Andy

Thank you, I will give that a go during off hours just in case.  I'm using SmartConsole to do all this.  Just to make sure i'm doing this right...make changes to encryption as noted above,  push policy to all firewalls, then test tunnels and test speeds as per before?  that sounds about right? 🙂

You got it.

I was thinking you should do policy verification, but no need, since you would not be changing policy itself, so no need, just install.

Andy

Thanks, I'm not familiar on how to do this on checkpoint.  Can you provide guidance on how to do this please?  thank you. 

Best practice is to set up a VPN datasheet with most compatible settings at first (example).
Once this is working you can start fine tuning your VPN parameters to more secure values.
Speed tests based on a single file transfer will not show you the full picture, just give you an indication. Try multiple file transfers at the same time in both directions instead.

Thank you!  I will give multiple files transfers simultaneously and test.  I believe the OpenSpeedTestServer does multi-connection to perform the speedtest. 

- make a server accessible on one site (http, ftp...)

- use e.g. a browser on the site on the other side of the tunnel to open up- or downlod connections

- first try one connection and note the thruput (time and size of transfered file), then more at the same time

- compare the possible troughputs according to the number of connections

Thank you all for the guidance and advice!  I want to post an update and resutls on the changes I have made.
I updated the Encryption in the VPN community to AES-128, MD5 and 1024 bit. (again, it's a Mesh setup).  I also disabled the TP blades. 

I'm happy to remote an increase of about 100Mbps for the site-to-sites aftert this change (it went from about 150Mbps to 250+ Mbps down/up).  I performed this test with a webserver and also by copying multiple ISOs files (about 5GB in size) on the same server from one site to another (also did a single file copy and the results are the same speed as when using multiple files) .   this is true with TP blades on or off.  So that's great to see.

What is the realistic expected throughput between these Spark 1600s firewalls for VPN tunnels? 

Now, is there anything else I can do improve the connection speed?

Is having a Mesh vs. hub and spoke affects speeds?

These tunnels are set as Permanent as well, does that affect speed? (screenshot)

I"m very thankful for all your support. 

Mesh vs. Star topology will not affect speed.  Permanent Tunnels send heartbeats through the tunnel, but this is a minuscule amount of data and should have no tangible impact on overall performance.

Normally, I would recommend using a Galois Counter Mode (GCM) AES variant for the IKE Phase 2/IPSec encryption algorithm; GCM combines the encryption and hashing functions into a single, more efficient operation that can be accelerated by the Intel AES-NI processor extension.  However, the 1600 uses an ARM processor, which I'm assuming does not support AES-NI or whatever the ARM equivalent is.

Give AES-128-GCM for IKE Phase2/IPSec a try and retest performance, my guess is it will be slower due to the non-Intel processor, but I could be wrong.  Other than that, I think you've got about all the speed you are going to get.

Thanks Timothy!  I apreciate your input.  I will give that a try, and yes, I expect the performance to to be less.  If this is the best the 1600s can do, then my search is over.  

Thanks. 🙂

THank you @Timothy_Hall   I tried this, but it only got a bit slower. 🙂  using AES-128, MD5 and Group 2 1024-bit) seem to yield the best performance in my case. 🙂

Thanks for the followup, that was what I expected.

Hi @rdiaz, 
Can you try the following settings and check if it improves the throughput?
1. In SmartConsole, under the community configuration -> Tunnel Management, set separate VPN tunnel per each pair of hosts
2. On the 1600 external interface (the one that receives the encrypted traffic), run: ethtool -N <interface name> rx-flow-hash esp4 sdfn
3. Copy multiple files from separate servers

Thanks.

Thank you Sigal, 

1.  I will give that a try.  Will this take the VPN tunnel down momentarily? 

2. What does this command do?  Would I do this on all 1600s? (I have about 6 of them in the tunnel). 

3.  Ok, will do.

Thank you very much for the suggestions. 

1. It is probably best to delete the VPN tunnels after making this change and install the policy. This can be achieved using the command: vpn tu del all
2. This command distributes the traffic to CPU cores based on the SPI field. I do not suggest applying it to all gateways before we establish that it actually makes a difference

Thanks Sigal,

1.  What does this command do in actuallly?  Will this delete the VPN tunnel Community?  Will I need to re-create the vpn tunnels after that?

1. It will delete existing VPN tunnels, but those should be automatically recreated when traffic that should be encrypted reaches the gateway

cool, i'll try that @sigal   Thanks. 

Hey @rdiaz 

Just curious, did you ever end up opening TAC case for this, just to see if they have any other suggestions?

Andy

I have not done that, I was hoping it was a quick answer/easy fix.  But I will open one up after trying some of the new suggestions. 🙂

thanks.