ZyXel USG60 VPN performance

Brady
Brady Posts: 5
First Anniversary Friend Collector First Comment
edited April 2021 in Security
We just bought a USG60 for connecting two offices with VPN. We got unexpected low site-to-site VPN performance. I am wondering if that is normal.

Our main office has a ZyWall 1900. Our second office is in a adjacent building. It is pretty close, but there is no LAN between the two offices, so we have to use VPN to connect the two networks. The bandwidth between the offices is 300 - 500 Mbs depending on traffic. Without VPN, wget can achieve as high as 400 - 500 Mbs.

When site-to-site VPN is enabled, the performance is consistently 80 - 90 Mbs. It is only about half of datasheet performance 180 Mbs. When large data transfer is happening over VPN, I found I can't log into USG60 and UI is not responsive.

What is your experience with VPN performance of USG60? Do you get more than 90 Mbs over VPN? Any feedbacks are much appreciated.

Brady

Comments

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,426  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @Brady,
    What is your device VPN phase 2 DH group, encryption and authentication method? The more complex method users used will lead to the lower throughput due to CPU calculation overhead.
    Moreover, how did you test the VPN performance?  By iperf or just http download single session?
  • Brady
    Brady Posts: 5
    First Anniversary Friend Collector First Comment
    Hi, @Zyxel_Cooldia,

    Phase 2 use the following settings:
    1. ESP
    2. Tunnel
    3. Encryption AES128
    4. Authentication is SHA1
    5. PFS is DH2

    I tried to disable encryption. But the result is worse than with encryption enabled.

    I tested performance with both iperf and wget of a large ISO file. The test was done with and without VPN. Iperf gives slightly better performance than wget.

    Do you see any problems with encryption and authentication settings?

    Thanks,

    Brady
  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,426  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @Brady,
    The data sheet performance is running on UDP packets(based on RFC2544).
    If you run the test in UDP, the performance can up to around 18x/mpbs.


Security Highlight