Try the following techniques to improve the performance of the VPN tunnel:
- On the client
- Increase CPU processing power.
- Eliminate or stop nonessential processes that use CPU time.
- Increase the bandwidth of the Internet connection by using direct access (cable/DSL) in place of dial-up connections, if possible.
- On the server
To free memory, stop unnecessary proxy services on the firewall such as SQLNetd, NNTPd, and others.
- Tunnel Parameters
- VPN Policy parameters
- Disable Compression on the VPN Policy
- Set rekey limits to their defaults (Data Volume: 2100000, Lifetime: 480, Inactivity: 0)
- You may also try using a DES VPN Policy in lieu of a 3DES VPN Policy if CPU power is a concern.
- Disabling/Enabling VPN tunnel use of the Proxy Services
- In most cases, a VPN Policy that uses the Proxy services is only required when the administrator wishes to:
- Restrict access to services through the tunnel (for instance, only telnet is allowed through the tunnel)
- NAT'ing is necessary for packets to return to the firewall (that is, the internal hosts behind the firewall/VPN server do not use the firewall/VPN server in any way, shape or form as their default gateway).
- If you do not need to restrict access to specific services through the tunnel (all ports and protocols are allowed through a VPN tunnel to the defined Local Entity of the Secure Tunnel) and, NAT is not necessary because internal hosts use the firewall/VPN server as their default gateway, this setting can be disabled. However, if you wish to restrict services to the tunnel or must use the NAT feature of the firewall/VPN server, this setting must be enabled.
- To disable the Proxy Services feature, on the VPN Policy used by the tunnel, clear the "Pass Traffic from the Secure Tunnel to the Proxy Services (Required for NAT)" check box.
- In most cases, a VPN Policy that uses the Proxy services is only required when the administrator wishes to:
- VPN Policy parameters
- Proxy Services
There are several rule-based items you can analyze and change to improve the throughput of a VPN tunnel that uses the Proxy services:- Make the VPN rules as specific as possible (including Source, Destination, Out Via, and the Services). If possible, try to avoid multiple rules identifying
as a source as the firewall scans the entire rule database to determine a "best fit" application. - If possible, avoid using "all*" as a service in rules, but rather specify the individual services for the VPN rule.
- Disable "Log Normal Activity" (on the Miscellaneous tab). This will stop the Logging daemon from logging activity that this rule applies to.
- Disable "Application Data Scanning." Disabling this feature invokes the FastPath mechanism (HTTP) or the Kernel Proxy (all other Proxy services) for those services that apply to the specific rule. For information on FastPath and the Kernel Proxy, review the Firewall documentation provided with your product.
- Make the VPN rules as specific as possible (including Source, Destination, Out Via, and the Services). If possible, try to avoid multiple rules identifying
- Address Transforms
If you need to use Address Transforms (the firewall/VPN server NAT functionality), try the following to improve performance:- Use the "Use Gateway Address" option in the Address Transform in place of a NAT pool.
- Make the Address Transform specific to your VPN Tunnel (the "best fit" method applies to Address Transforms as it does to rules. See item 4.1, above), and leave the default VPNTunnelExitTransform and VPNTunnelEntryTransform at their defaults.