• IPsec site to site performance not great

    3
    0 Votes
    3 Posts
    1k Views
    5

    @Hugh:

    Can you confirm that you push the traffic levels you are hoping for without the VPN involved?

    If you SSH in or look in the console, run ifconfig, what do your options look like:

    options=60009b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,rxcsum_ipv6,txcsum_ipv6>Have a look at:

    https://doc.pfsense.org/index.php/Tuning_and_Troubleshooting_Network_Cards

    I'm suggesting that you might be having issues with the TSO and LRO areas.  Here is the full output of ifconfig:

    [2.1.5-RELEASE][admin@pfSense.conway.local]/root(1): ifconfig
    em0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
            options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 00:50:56:88:5d:36
            inet 192.168.50.1 netmask 0xffffff00 broadcast 192.168.50.255
            inet6 fe80::250:56ff:fe88:5d36%em0 prefixlen 64 scopeid 0x1
            nd6 options=1 <performnud>media: Ethernet autoselect (1000baseT <full-duplex>)
            status: active
    em1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
            options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether f8:e4:fb:22:40:ee
            inet 72.92.54.39 netmask 0xffffff00 broadcast 72.92.54.255
            inet6 fe80::fae4:fbff:fe22:40ee%em1 prefixlen 64 scopeid 0x2
            nd6 options=3 <performnud,accept_rtadv>media: Ethernet autoselect (1000baseT <full-duplex>)
            status: active
    em2: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
            options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 00:50:56:88:08:18
            inet 192.168.200.1 netmask 0xffffff00 broadcast 192.168.200.255
            inet6 fe80::250:56ff:fe88:818%em2 prefixlen 64 scopeid 0x3
            nd6 options=1 <performnud>media: Ethernet autoselect (1000baseT <full-duplex>)
            status: active
    plip0: flags=8810 <pointopoint,simplex,multicast>metric 0 mtu 1500
    pfsync0: flags=0<> metric 0 mtu 1460
            syncpeer: 224.0.0.240 maxupd: 128 syncok: 1
    lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384
            options=3 <rxcsum,txcsum>inet 127.0.0.1 netmask 0xff000000
            inet6 ::1 prefixlen 128
            inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6
            nd6 options=3 <performnud,accept_rtadv>pflog0: flags=100 <promisc>metric 0 mtu 33144
    enc0: flags=41 <up,running>metric 0 mtu 1536
    ovpns1: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
            options=80000 <linkstate>inet6 fe80::250:56ff:fe88:5d36%ovpns1 prefixlen 64 scopeid 0x9
            inet 10.8.0.1 –> 10.8.0.2 netmask 0xffffffff
            nd6 options=3 <performnud,accept_rtadv>Opened by PID 81705
    ovpns2: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
            options=80000 <linkstate>inet6 fe80::250:56ff:fe88:5d36%ovpns2 prefixlen 64 scopeid 0xa
            inet 10.0.2.1 --> 10.0.2.2 netmask 0xffffffff
            nd6 options=3 <performnud,accept_rtadv>Opened by PID 86563
    ovpns3: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
            options=80000 <linkstate>inet6 fe80::250:56ff:fe88:5d36%ovpns3 prefixlen 64 scopeid 0xb
            inet 10.8.8.1 --> 10.8.8.2 netmask 0xffffffff
            nd6 options=3 <performnud,accept_rtadv>Opened by PID 90177
    ovpns4: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
            options=80000 <linkstate>inet6 fe80::250:56ff:fe88:5d36%ovpns4 prefixlen 64 scopeid 0xc
            inet 10.8.1.1 --> 10.8.1.2 netmask 0xffffffff
            nd6 options=3 <performnud,accept_rtadv>Opened by PID 94308

    Right now none of the OpenVPN servers are actively used.

    Thanks!

    What sort of network cards are you using under ESXi, what have you setup under FreeBSD?</performnud,accept_rtadv></linkstate></up,pointopoint,running,multicast></performnud,accept_rtadv></linkstate></up,pointopoint,running,multicast></performnud,accept_rtadv></linkstate></up,pointopoint,running,multicast></performnud,accept_rtadv></linkstate></up,pointopoint,running,multicast></up,running></promisc></performnud,accept_rtadv></rxcsum,txcsum></up,loopback,running,multicast></pointopoint,simplex,multicast></full-duplex></performnud></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,simplex,multicast></full-duplex></performnud,accept_rtadv></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,simplex,multicast></full-duplex></performnud></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,simplex,multicast></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,rxcsum_ipv6,txcsum_ipv6>

    Thanks Hugh for the reply.  Without the VPN tunnel I can download via web server at 4.1 MB/s from one location to the other.  I am using Intel Pro/1000 VT quad port nics in each ESXi host.

    Both TSO and LRO boxes are checked on each side

  • IPsec tunnel uptime

    1
    0 Votes
    1 Posts
    913 Views
    No one has replied
  • [solved] Unable to reach hosts on the other side

    6
    0 Votes
    6 Posts
    2k Views
    S

    @cmb:

    I just reconfigured the LAN interface on pfsense to use a subnet mask of 255.255.255.0, which got propagated to the clients via DHCP, and now 10.0.0.5 is also having a mask of 255.255.255.0. And now I can fully access this host via IPSec!! :)

    Thanks alot for your help, much appreciated :)

  • Add/remove route on tunnel up/down

    4
    0 Votes
    4 Posts
    921 Views
    C

    You could hack in BIRD if you wanted, but Quagga is already in packages for OSPF and would be a better option since it's integrated. That's an option with IPsec transport mode and GRE or gif, or OpenVPN.

  • Racoon service

    2
    0 Votes
    2 Posts
    677 Views
    C

    That's never necessary, the connection(s) where you make changes get reloaded and only those connections. Restarting the service will drop all your VPNs.

  • Juniper SSG140 Policy Based VPN!! Help

    4
    0 Votes
    4 Posts
    2k Views
    T

    Hi

    Did you have any luck with this? I am having the same trouble with a SSG20.

  • Mobile IPSEC to multiple VPNs

    3
    0 Votes
    3 Posts
    807 Views
    C

    Your P2s to the remote sites, and the mobile clients, must include the remote networks and the mobile IPsec network.

  • Remote Gateway IP field

    2
    0 Votes
    2 Posts
    667 Views
    C

    The section you're referring to is for site to site VPNs. Those either require a hostname or IP for the remote. For mobile clients, you want mobile IPsec which is separate.

  • Pfsense IPSec tunnel going down and up repeatedly

    4
    0 Votes
    4 Posts
    2k Views
    C

    What do your IPsec logs show for that connection?

  • VPN Phase 1

    2
    0 Votes
    2 Posts
    695 Views
    C

    Only way a VPN can be disabled is an admin going in and checking that box. Go to Diag>Backup/restore, config history tab, and you'll be able to find who did it assuming it wasn't a bunch of revisions in the past.

  • Ipsec with watchguard

    2
    0 Votes
    2 Posts
    1k Views
    Z

    Hi,

    I have the same scenario, but my IPSEC tunnel is not working, bernikm can you help me posting your config?

    Thanks

  • Soekris net6501 IPSec Tunnel Performance

    1
    0 Votes
    1 Posts
    904 Views
    No one has replied
  • Multi-wan IPSEC with failover issue

    2
    0 Votes
    2 Posts
    2k Views
    A

    Hi,
    did you find any suitable solution to your issue?

    I think I'm in the same situation (please see my post "Failover not working" in the IPSEC section), but since Ssptember I have not a single comment.  :(

  • IPsec failover main link come up not working.

    2
    0 Votes
    2 Posts
    884 Views
    A

    Hi,
    did you find any suitable solution to your issue?

    I think I'm in the same situation (please see my post "Failover not working" in the IPSEC section), but since Ssptember I have not a single comment.  :(

    It seems nobody knows about this problem, except we two.

  • Internet access through IPSec VPN

    2
    0 Votes
    2 Posts
    2k Views
    A

    Ok, problem solved.

    How I missed it, I don't know, but the problem was DNS. I forgot to add UDP to the IPSec rule on the firewall. Doh!  :-[

  • IPsec site-to-site Tutorial ip dynamic ?

    3
    0 Votes
    3 Posts
    1k Views
    jimpJ

    It's exactly like a normal site-to-site IPsec setup, but the dynamic site needs a DynDNS host setup, and the other end uses that for the remote peer address.

  • IPSec BINAT different subnets

    3
    0 Votes
    3 Posts
    2k Views
    O

    I have the same problem. I haved stablished the tunnel, and from pfsense the ping return.

    I have presented a different network to mine. but not how to do NAT. Can you give an example? Please

    example my configuration Phase 2
    Local network (UP) 192.168.1.2/32
    local network nat (down) 10.0.0.2/32
    remote network 10.22.0.0/20

    Thanks,

  • PFSense 2.1 IP-SEC & AT&T Netopia 3347-02 7.8.1r2

    5
    0 Votes
    5 Posts
    2k Views
    V

    @starkiller:

            my_identifier keyid tag "VPN";         peers_identifier keyid tag "VPN";

    I know this a reply to an old post but I think the my_Identifier KeyID tag should be different to the peers_Identifier KeyID tag.

  • Multi WAN = Mobile Tunnel only work on "default" GW but site-to-site any?

    3
    0 Votes
    3 Posts
    1k Views
    K

    I think I am having the same problem.

    I added a second WAN (ATT) and changed the default gateway to the new ISP (ATT) and modified the rule for ipsec to use the SONIC gateway.

    When the default is set to ATT mobile IPSEC fails.
    When the default is set to SONIC it has no issues.

  • IPsec unable to connect

    2
    0 Votes
    2 Posts
    1k Views
    T

    Check at Untangle, must be something block IPSec tunnel to establish

Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.