I have a site-to-site VPN set up with two SonicWall's (a TZ170 and a Pro1260). It was suggested to me that turning off encryption (so the VPN is tunneling only) would improve performance. (I'm not concerned with security, because the VPN is running over a trusted line.)
Using FTP and HTTP transfers, I measured my baseline performance at about 130±10 kB/s.
The Ipsec (Phase 2) Encryption was set to 3DES, so I set it to "none". However, the effect was opposite — the performance dropped to 60±30 kB/s, and the transfers stall for about 25 seconds before any data comes down the line. I tried AES-128 and the throughput went UP to 160±5 kB/s. The rated speed of my line is 193 kB/s (it's a T1).
Contrary to what I would think, stronger Ipsec encryption seems to improve throughput. Can anyone explain what might be going on here? Why would no encryption cause poor and highly variable performance, and cause transfers to stall? Why does AES-128 improve performance?
Best Answer
AES is faster than 3DES because of the algorithm design (number of rounds, etc.), not because of the key size/encryption strength. I don't know much about SonicWall products, but I'd assume that the firewall product should be able to pass traffic at line speed for a T1, so there may be some issues there.
I'm not sure why you'd see performance that's worse when you turn off encryption, but if you don't need encryption, as Antoine Benkemoun said, you don't really need IPSec, especially not ESP (tunnel mode).