IKEv2 Connects but internet is very slow

Derelict

IDK. I would use a laptop to troubleshoot, not a phone.

TimeBandit

I can try with my wife's macbook. What steps would you recommend?

Derelict

General network troubleshooting. I would first use dig or drill to be sure the DNS configuration was sane and doing what it expected.

Look at the routing table to be sure it is sane.

Etc.

TimeBandit

Dig and nslookup both work and are using the correct local address for DNS Resolver - 192.168.20.1

The routing table seems to be where the problem is.

10.7.4.1 is the Virtual Address Pool from Mobile Clients.

No idea where the 172.20.10.X stuff is coming from.

Next steps?

Derelict

You'll have to talk to someone more familiar with Windows IKEv2 than I am.

TimeBandit

This was from a macbook. Thanks for trying.

Derelict

No need to get nasty.

The font threw me, and the fact that it's a screen shot instead of a copy/paste. We usually get that from Windows users.

TimeBandit

No nasty intent at all, sorry if it came across that way. Was being sincere - I appreciate you taking the time to at least point me in the right direction.

Derelict

What version of macos?

TimeBandit

Mojave 10.14.5

Your font instincts were pretty good though. I output the netstat results to a file and then opened it in the text editor on my windows machine and when I tried to paste it to the forum the columns were all messed up so I went with a screenshot so it would be easily readable.

Derelict

what is the output of:

scutil --dns when you are connected to the VPN?

TimeBandit

DNS configuration

resolver #1
nameserver[0] : 192.168.20.1
if_index : 16 (ipsec0)
flags : Request A records
reach : 0x00000002 (Reachable)

resolver #2
domain : local
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300000

resolver #3
domain : 254.169.in-addr.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300200

resolver #4
domain : 8.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300400

resolver #5
domain : 9.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300600

resolver #6
domain : a.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300800

resolver #7
domain : b.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 301000

DNS configuration (for scoped queries)

resolver #1
nameserver[0] : 172.20.10.1
if_index : 5 (en0)
flags : Scoped, Request A records
reach : 0x00020002 (Reachable,Directly Reachable Address)

resolver #2
nameserver[0] : 192.168.20.1
if_index : 16 (ipsec0)
flags : Scoped, Request A records
reach : 0x00000002 (Reachable)

Derelict

So when you're connected to the VPN do both of these work quickly? (one sec)

dig @172.20.20.1 www.google.com

dig @192.168.20.1 www.google.com

TimeBandit

dig @172.20.20.1 www.google.com

Connection Times Out

dig @192.168.20.1 www.google.com

Responds immediately <200ms

TimeBandit

Just in case you had a typo I also ran

dig @172.20.10.1 www.google.com

this responded under 200ms as well.

Derelict

Yeah that was a typo. Sorry. If both name servers respond in the same time frame (200ms is nothing to write home about) then I guess it's not DNS. If you do not NEED the clients to use a DNS server on the other side of the VPN, I don't think I would push it to them.

What, specifically, are you seeing?

TimeBandit

My reason for pushing DNS to the other side is so that I can connect to machines on the other side using the hostnames stored in DNS Resolver and that part works. It's the internet connection that's the problem.

The thing that I can't get my head around is where is 172.20.10.1 coming from, as far as I know I didn't set it up.

Derelict

The looks like the ethernet LAN on the client.