Hi
We started using VyOS due to other options not being able to do a 1Gbps IPSec tunnel well without spending a tonne of money.
We’ve been very happy, however we recently upgraded our link between the 2 sites to be 2Gbps.
And doing an iperf through the WAN facing link without the tunnel is able to get 2Gbps no issue, however through the IPSec tunnel we seem to be getting 1Gbps, looking at the CPU it doesn’t appear to be the issue.
Unsure if there is anything I should be doing differently or what I need look at.
Config below
set firewall name OUTSIDE-LOCAL rule 10 action 'accept'
set firewall name OUTSIDE-LOCAL rule 10 state established 'enable'
set firewall name OUTSIDE-LOCAL rule 10 state related 'enable'
set firewall name OUTSIDE-LOCAL rule 20 action 'accept'
set firewall name OUTSIDE-LOCAL rule 20 icmp type-name 'echo-request'
set firewall name OUTSIDE-LOCAL rule 20 protocol 'icmp'
set firewall name OUTSIDE-LOCAL rule 20 state new 'enable'
set firewall name OUTSIDE-LOCAL rule 30 action 'drop'
set firewall name OUTSIDE-LOCAL rule 30 destination port '22'
set firewall name OUTSIDE-LOCAL rule 30 protocol 'tcp'
set firewall name OUTSIDE-LOCAL rule 30 recent count '4'
set firewall name OUTSIDE-LOCAL rule 30 recent time '60'
set firewall name OUTSIDE-LOCAL rule 30 state new 'enable'
set firewall name OUTSIDE-LOCAL rule 31 action 'accept'
set firewall name OUTSIDE-LOCAL rule 31 destination port '22'
set firewall name OUTSIDE-LOCAL rule 31 protocol 'tcp'
set firewall name OUTSIDE-LOCAL rule 31 state new 'enable'
set interfaces ethernet eth0 address 'x.x.x.x/28'
set interfaces ethernet eth0 description 'WAN'
set interfaces ethernet eth0 firewall 'in'
set interfaces ethernet eth0 firewall 'local'
set interfaces ethernet eth0 hw-id '00:0c:29:48:c0:9f'
set interfaces ethernet eth1 address '172.16.75.253/30'
set interfaces ethernet eth1 description 'LAN'
set interfaces ethernet eth1 hw-id '00:0c:29:48:c0:a9'
set interfaces loopback 'lo'
set interfaces tunnel tun0 address 'x.x.x.x'
set interfaces tunnel tun0 encapsulation 'gre'
set interfaces tunnel tun0 local-ip 'x.x.x.x'
set interfaces tunnel tun0 remote-ip 'x.x.x.x'
set protocols static interface-route 10.0.29.0/24 next-hop-interface 'tun0'
set protocols static interface-route 10.1.66.0/24 next-hop-interface 'tun0'
set protocols static interface-route 172.16.29.0/24 next-hop-interface 'tun0'
set protocols static interface-route 192.168.28.0/24 next-hop-interface 'tun0'
set protocols static interface-route 192.168.29.0/24 next-hop-interface 'tun0'
set protocols static interface-route 192.168.248.0/24 next-hop-interface 'tun0'
set protocols static route 10.0.1.0/24 next-hop '172.16.75.254'
set protocols static route 10.0.2.0/24 next-hop '172.16.75.254'
set protocols static route 10.6.66.0/24 next-hop '172.16.75.254'
set protocols static route 172.16.1.0/24 next-hop '172.16.75.254'
set protocols static route 192.168.20.0/24 next-hop '172.16.75.254'
set protocols static route 192.168.60.0/24 next-hop '172.16.75.254'
set protocols static route 192.168.61.0/24 next-hop '172.16.75.254'
set protocols static route 192.168.62.0/24 next-hop '172.16.75.254'
set protocols static route 192.168.63.0/24 next-hop '172.16.75.254'
set protocols static route 192.168.64.0/24 next-hop '172.16.75.254'
set protocols static route 192.168.66.0/24 next-hop '172.16.75.254'
set protocols static route 192.168.68.0/24 next-hop '172.16.75.254'
set protocols static route 192.168.100.0/24 next-hop '172.16.75.254'
set protocols static route 192.168.128.0/24 next-hop '172.16.75.254'
set protocols static route 192.168.167.0/24 next-hop '172.16.75.254'
set protocols static route 192.168.168.0/24 next-hop '172.16.75.254'
set protocols static route 192.168.169.0/24 next-hop '172.16.75.254'
set protocols static route 192.168.170.0/23 next-hop '172.16.75.254'
set protocols static route 192.168.172.0/23 next-hop '172.16.75.254'
set protocols static route 192.168.200.0/24 next-hop '172.16.75.254'
set protocols static route 192.168.220.0/24 next-hop '172.16.75.254'
set protocols static route 192.168.252.0/24 next-hop '172.16.75.254'
set protocols static route 192.168.253.0/24 next-hop '172.16.75.254'
set service snmp community Management authorization 'ro'
set service snmp community Management client '192.168.64.175'
set service ssh listen-address '172.16.75.253'
set service ssh port '22'
set system config-management commit-revisions '20'
set system 'console'
set system gateway-address 'x.x.x.x'
set system host-name 'mtl-munvpn01'
set system login user nigelincognito authentication encrypted-password '$6$IwyMO8AwuCz$F3Sh91UsRxmxZZ2YMw8znDXjYbQAnZtZkWrny2jVKOmRmwYzJ2JEY3Ec0bMRSwCooJheRAbVqBXQMEb9KcgTd.'
set system login user nigelincognito authentication plaintext-password ''
set system package repository community components 'main'
set system package repository community distribution 'helium'
set system syslog global facility all level 'notice'
set system syslog global facility protocols level 'debug'
set vpn ipsec esp-group mtl-to-mun-esp proposal 1 encryption 'aes128'
set vpn ipsec esp-group mtl-to-mun-esp proposal 1 hash 'sha1'
set vpn ipsec ike-group mtl-to-mun-ike dead-peer-detection action 'restart'
set vpn ipsec ike-group mtl-to-mun-ike dead-peer-detection interval '30'
set vpn ipsec ike-group mtl-to-mun-ike dead-peer-detection timeout '30'
set vpn ipsec ike-group mtl-to-mun-ike proposal 1 dh-group '2'
set vpn ipsec ike-group mtl-to-mun-ike proposal 1 encryption 'aes128'
set vpn ipsec ike-group mtl-to-mun-ike proposal 1 hash 'sha1'
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec site-to-site peer x.x.x.x authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer x.x.x.x authentication pre-shared-secret 'secret123'
set vpn ipsec site-to-site peer x.x.x.x default-esp-group 'mtl-to-mun-esp'
set vpn ipsec site-to-site peer x.x.x.x ike-group 'mtl-to-mun-ike'
set vpn ipsec site-to-site peer x.x.x.x local-address 'x.x.x.x'
set vpn ipsec site-to-site peer x.x.x.x tunnel 1 protocol 'gre'