IPsec Site to Site VPN 參數建議

ipsec site to site vpn

1833 2025-05-11 13:37:12 ‧ 3283 瀏覽

分享至

使用環境多媒體影音傳輸(4K影音播放及4K IPCamera影像回傳24FPS 16000kbps)初步設定完成尋求穩定設定參數。

網路服務：今網寬頻
A端: UniFi Dream Machine 網路速率：400/400
B端: UniFi Cloud Gateway Ultra 網路速率：300/300

VPN 類型 IPSec
VPN 方法基於路由
隧道 IP A: 192.168.229.1/30 | B: 192.168.229.2/30

UDM/UCG 進階設定若採用預設“Auto"會無法連線，改為手動參數若維持原廠預設會持續產生中斷連線告警，以下目前配置參數。

金鑰交換版本 IKEv2

IKE
加密 AES-256
雜湊 SHA256
DH 群組 15
生命週期 86400

ESP
加密 AES-256
雜湊 SHA256
DH 群組 15
生命週期 86400
完整轉寄密碼(PFS) Enable

最大傳輸單元 Auto (預設值1419) 位元組
路由距離 30

Ａ端：
admin@admin ~ % ping 192.168.2.1 -c 10
PING 192.168.2.1 (192.168.2.1): 56 data bytes
64 bytes from 192.168.2.1: icmp_seq=0 ttl=63 time=2.472 ms
64 bytes from 192.168.2.1: icmp_seq=1 ttl=63 time=1.558 ms
64 bytes from 192.168.2.1: icmp_seq=2 ttl=63 time=1.589 ms
64 bytes from 192.168.2.1: icmp_seq=3 ttl=63 time=1.569 ms
64 bytes from 192.168.2.1: icmp_seq=4 ttl=63 time=4.100 ms
64 bytes from 192.168.2.1: icmp_seq=5 ttl=63 time=3.513 ms
64 bytes from 192.168.2.1: icmp_seq=6 ttl=63 time=5.837 ms
64 bytes from 192.168.2.1: icmp_seq=7 ttl=63 time=2.652 ms
64 bytes from 192.168.2.1: icmp_seq=8 ttl=63 time=1.643 ms
64 bytes from 192.168.2.1: icmp_seq=9 ttl=63 time=1.458 ms

--- 192.168.2.1 ping statistics ---
10 packets transmitted, 10 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 1.458/2.639/5.837/1.377 ms
admin@admin ~ % iperf3 -c 192.168.2.6
Connecting to host 192.168.2.6, port 5201
[ 5] local 192.168.1.190 port 58548 connected to 192.168.2.6 port 5201
[ ID] Interval Transfer Bitrate
[ 5] 0.00-1.00 sec 9.62 MBytes 80.4 Mbits/sec
[ 5] 1.00-2.00 sec 9.50 MBytes 79.7 Mbits/sec
[ 5] 2.00-3.00 sec 8.88 MBytes 74.6 Mbits/sec
[ 5] 3.00-4.00 sec 9.38 MBytes 78.5 Mbits/sec
[ 5] 4.00-5.00 sec 9.50 MBytes 79.8 Mbits/sec
[ 5] 5.00-6.00 sec 9.25 MBytes 77.9 Mbits/sec
[ 5] 6.00-7.00 sec 9.75 MBytes 81.7 Mbits/sec
[ 5] 7.00-8.00 sec 9.75 MBytes 81.7 Mbits/sec
[ 5] 8.00-9.00 sec 8.50 MBytes 71.1 Mbits/sec
[ 5] 9.00-10.00 sec 9.62 MBytes 80.8 Mbits/sec

[ ID] Interval Transfer Bitrate
[ 5] 0.00-10.00 sec 93.8 MBytes 78.6 Mbits/sec sender
[ 5] 0.00-10.01 sec 93.5 MBytes 78.3 Mbits/sec receiver

～～～～～～～～～～～～～～～～～～～～～～～～～～～～～～～～～～～～

Ｂ端：
PS C:\iperf3> ping -n 10 192.168.1.1

Ping 192.168.1.1 (使用 32 位元組的資料):
回覆自 192.168.1.1: 位元組=32 時間=2ms TTL=63
回覆自 192.168.1.1: 位元組=32 時間=4ms TTL=63
回覆自 192.168.1.1: 位元組=32 時間=2ms TTL=63
回覆自 192.168.1.1: 位元組=32 時間=40ms TTL=63
回覆自 192.168.1.1: 位元組=32 時間=38ms TTL=63
回覆自 192.168.1.1: 位元組=32 時間=2ms TTL=63
回覆自 192.168.1.1: 位元組=32 時間=2ms TTL=63
回覆自 192.168.1.1: 位元組=32 時間=83ms TTL=63
回覆自 192.168.1.1: 位元組=32 時間=61ms TTL=63
回覆自 192.168.1.1: 位元組=32 時間=37ms TTL=63

192.168.1.1 的 Ping 統計資料:
封包: 已傳送 = 10，已收到 = 10, 已遺失 = 0 (0% 遺失)，
大約的來回時間 (毫秒):
最小值 = 2ms，最大值 = 83ms，平均 = 27ms

PS C:\iperf3> ./iperf3 -c 192.168.1.190
Connecting to host 192.168.1.190, port 5201
[ 5] local 192.168.2.6 port 49765 connected to 192.168.1.190 port 5201
[ ID] Interval Transfer Bitrate
[ 5] 0.00-1.01 sec 5.25 MBytes 43.4 Mbits/sec
[ 5] 1.01-2.00 sec 7.50 MBytes 63.9 Mbits/sec
[ 5] 2.00-3.00 sec 7.50 MBytes 62.9 Mbits/sec
[ 5] 3.00-4.00 sec 8.25 MBytes 69.2 Mbits/sec
[ 5] 4.00-5.01 sec 8.12 MBytes 67.6 Mbits/sec
[ 5] 5.01-6.01 sec 8.25 MBytes 68.9 Mbits/sec
[ 5] 6.01-7.01 sec 8.25 MBytes 69.6 Mbits/sec
[ 5] 7.01-8.00 sec 7.62 MBytes 64.4 Mbits/sec
[ 5] 8.00-9.01 sec 7.88 MBytes 65.7 Mbits/sec
[ 5] 9.01-10.02 sec 8.50 MBytes 70.6 Mbits/sec

[ ID] Interval Transfer Bitrate
[ 5] 0.00-10.02 sec 77.1 MBytes 64.6 Mbits/sec sender
[ 5] 0.00-10.04 sec 77.1 MBytes 64.4 Mbits/sec receiver

以UDM/UCG對測