AlwaysOn VPN ikev2 slow and bandwidth varies a lot

Site Feedback
1

RAS Server: Windows Server 2022 Core

NPS: Windows Server 2012 R2 (also a DC)

Router: Lancom 7100+ VPN

I basically followed this Guide and the User Tunnel works fine, it connects automatically and we can reach the internal network via rdp, ssh, smb and so on.

We have two issues:

  1. The bandwidth fluctuates between 3,47 and 41,7 Mbit/s with a mean of 17,6 Mbit/s measured by iperf
  2. SMB is slow - it could be the sporadic drop in throughput or the increased latency

The VPN is usable as in we can reach the device to administer it, but it’s not good enough for our remote workers. Does anybody know if I can perfomance tune anything?

As a comparison my L2TP VPN (Certificate Authentication with the same NPS) has a pretty stable throughput of 63,5 Mbit/s.

If any additional information is needed just ask and I will provide it.

2

I’ve always used an mtu size of 1300 for IPSec/IKEv2 vpn traffic just to be on the safe side.

Have you tried determining the MTU of an active tunnel using ping -f or a tool like mtupath?

3

Sounds like MTU issues. Have you set the mtu on the tunnel to something like 1420 on the client?

4

Use a Linux VPN Server instead, never had performance issues on IKEv2 VPN with Linux.

5

Yeah I tried that exact tool to some of our internal servers, it always calculates a MTU of 1400 (1372 MSS)

I guess I could try to limit it to 1300 is client side enough?

6

It’s already at 1400 client side

7

Thanks for your interest in posting to this subreddit. To combat spam, new accounts can’t post or comment within 24 hours of account creation.

Please DO NOT message the mods requesting your post be approved.

You are welcome to resubmit your thread or comment in ~24 hrs or so.

I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.

8

Then 1500 through the rest of the network? Any vxlan or anything like that internally?

9

The RAS server provides it’s own subnet and routes everything to our router, so not a real VLAN I guess.

The server has a single NIC and that MTU is at 1500, I just changed it to 1400 but it doesn’t make anything better:

Range: 6.06 to 40 Mbit/s with a mean of 17.3 over 100 seconds

10

I’d leave the server at 1500. How’s the server physically connected to the network? Direct to the router or is it going through any switches?

11

The RAS server is a VM but the physical server is connected with 2x 10Gbit to a switch and that switch has a 1G uplink to our Router