all, I am posting this as information so it might help others, i have already worked with tech support for this fix.
In my environment, I have an mx65 on a 100mb/sec internet link. Our home office is a Cisco ASA-5516 on 100mb/sec Internet link. I set up a non-meraki site to site with the asa and immediately noticed poor vpn performance. When I talked to Meraki tech support, initially, they said they did not support my vpn config. I was using AES256/sha1 for both phase 1 and 2. They insisted i need to use 3des/sha1 for both. They also suggested I use Iperf to test the speed.
I set up iperf to test connection speed site to site both inside the vpn tunnel and outside (unencrypted). Iperf showed that I was getting about 20mb/sec throughput when encrypted but 90mb/sec unencrypted. So this shows that the problem here is encryption, and not the internet links at either end.
I went through several engineers at Meraki who were not able to help me, they even rma’d my mx65 thinking it was a hardware issue. Finally, a new engineer (Christopher) picked up my case. He was was willing go set up a test in his lab. He did reproduced my poor vpn performance and then tested different settings. He found that AES128 for both phase 1 and 2 provided better throughput. I made these changes and ran Iperf again. With AES128 instead of 3DES, Iperf was testing at about 80mb/sec, a 4x increase from 3DES.
I can only speculate that Meraki is doing AES128 decryption in hardware and rest in software and maybe that accounts for the performance difference, however one thing is clear, DO NOT USE THE MERAKI RECOMMENDED VPN SETTINGS,
ALWAYS USE AES128 FOR VPN’S