Major performance issues ipsec 2.1.5 to 2.3.1 Help if possible????



  • I am only able to pull down at 1 Mbit ona 2.1.5 from a 2.3.1 version.

    I am using AES 128 on both locations.  VPN's work and if I use 2.3 to a 2.2.6 I have no issues

    Does anyone have a 2.2.6 upgrade for nano 4g AMD?



  • Long past time to upgrade the 2.1.5 box. Should be no reason to stay on 2.2.x at this point, being dependent on some removed package probably the only reason, though in most cases those shouldn't be relied upon.



  • Upgraded to 2.2.6 on APU platform but still only getting 1.5 to 2mbit aes 128.  I should be getting better than that.

    Any issues with 2.3 on APU?



  • @kapara:

    Any issues with 2.3 on APU?

    No



  • This is from my virtual 2.3 running in Hyper-V.  I see errors but all tunnels are up.

    Jul 16 00:54:19 charon 09[IKE] <con2|11>retransmit 1 of request with message ID 0
    Jul 16 00:54:19 charon 09[NET] <con2|11>sending packet: from 192.99.xxx.xxx[500] to 76.126.xxx.xxx[500] (336 bytes)
    Jul 16 00:54:25 charon 08[NET] <13> received packet: from 12.216.xxx.xxx[500] to 192.99.xxx.xxx[500] (328 bytes)
    Jul 16 00:54:25 charon 08[ENC] <13> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) ]
    Jul 16 00:54:25 charon 08[IKE] <13> 12.216.xxx.xxx is initiating an IKE_SA
    Jul 16 00:54:25 charon 08[CFG] <13> received proposals: IKE:BLOWFISH_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
    Jul 16 00:54:25 charon 08[CFG] <13> configured proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
    Jul 16 00:54:25 charon 08[IKE] <13> received proposals inacceptable
    Jul 16 00:54:25 charon 08[ENC] <13> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
    Jul 16 00:54:25 charon 08[NET] <13> sending packet: from 192.99.xxx.xxx[500] to 12.216.xxx.xxx[500] (36 bytes)
    Jul 16 00:54:26 charon 08[IKE] <con2|11>retransmit 2 of request with message ID 0
    Jul 16 00:54:26 charon 08[NET] <con2|11>sending packet: from 192.99.xxx.xxx[500] to 76.126.xxx.xxx[500] (336 bytes)
    Jul 16 00:54:37 charon 14[IKE] <con1|10>retransmit 4 of request with message ID 0
    Jul 16 00:54:37 charon 14[NET] <con1|10>sending packet: from 192.99.xxx.xxx[500] to 64.7.69.102[500] (336 bytes)
    Jul 16 00:54:39 charon 08[IKE] <con2|11>retransmit 3 of request with message ID 0
    Jul 16 00:54:39 charon 08[NET] <con2|11>sending packet: from 192.99.xxx.xxx[500] to 76.126.xxx.xxx[500] (336 bytes)
    Jul 16 00:55:02 charon 07[IKE] <con2|11>retransmit 4 of request with message ID 0
    Jul 16 00:55:02 charon 07[NET] <con2|11>sending packet: from 192.99.xxx.xxx[500] to 76.126.xxx.xxx[500] (336 bytes)
    Jul 16 00:55:19 charon 08[IKE] <con1|10>retransmit 5 of request with message ID 0
    Jul 16 00:55:19 charon 08[NET] <con1|10>sending packet: from 192.99.xxx.xxx[500] to 64.7.69.102[500] (336 bytes)
    Jul 16 00:55:44 charon 07[IKE] <con2|11>retransmit 5 of request with message ID 0
    Jul 16 00:55:44 charon 07[NET] <con2|11>sending packet: from 192.99.xxx.xxx[500] to 76.126.xxx.xxx[500] (336 bytes)
    Jul 16 00:56:35 charon 08[IKE] <con1|10>giving up after 5 retransmits
    Jul 16 00:56:35 charon 08[IKE] <con1|10>establishing IKE_SA failed, peer not responding
    Jul 16 00:57:00 charon 07[IKE] <con2|11>giving up after 5 retransmits
    Jul 16 00:57:00 charon 07[IKE] <con2|11>establishing IKE_SA failed, peer not responding
    Jul 16 00:58:50 charon 09[NET] <14> received packet: from 12.216.xxx.xxx[500] to 192.99.xxx.xxx[500] (328 bytes)
    Jul 16 00:58:50 charon 09[ENC] <14> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) ]
    Jul 16 00:58:50 charon 09[IKE] <14> 12.216.xxx.xxx is initiating an IKE_SA
    Jul 16 00:58:50 charon 09[CFG] <14> received proposals: IKE:BLOWFISH_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
    Jul 16 00:58:50 charon 09[CFG] <14> configured proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
    Jul 16 00:58:50 charon 09[IKE] <14> received proposals inacceptable
    Jul 16 00:58:50 charon 09[ENC] <14> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
    Jul 16 00:58:50 charon 09[NET] <14> sending packet: from 192.99.xxx.xxx[500] to 12.216.xxx.xxx[500] (36 bytes)
    Jul 16 01:03:15 charon 15[NET] <15> received packet: from 12.216.xxx.xxx[500] to 192.99.xxx.xxx[500] (328 bytes)
    Jul 16 01:03:15 charon 15[ENC] <15> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) ]
    Jul 16 01:03:15 charon 15[IKE] <15> 12.216.xxx.xxx is initiating an IKE_SA
    Jul 16 01:03:15 charon 15[CFG] <15> received proposals: IKE:BLOWFISH_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
    Jul 16 01:03:15 charon 15[CFG] <15> configured proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
    Jul 16 01:03:15 charon 15[IKE] <15> received proposals inacceptable
    Jul 16 01:03:15 charon 15[ENC] <15> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
    Jul 16 01:03:15 charon 15[NET] <15> sending packet: from 192.99.xxx.xxx[500] to 12.216.xxx.xxx[500] (36 bytes)
    Jul 16 01:07:40 charon 05[NET] <16> received packet: from 12.216.xxx.xxx[500] to 192.99.xxx.xxx[500] (328 bytes)
    Jul 16 01:07:40 charon 05[ENC] <16> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) ]
    Jul 16 01:07:40 charon 05[IKE] <16> 12.216.xxx.xxx is initiating an IKE_SA
    Jul 16 01:07:40 charon 05[CFG] <16> received proposals: IKE:BLOWFISH_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
    Jul 16 01:07:40 charon 05[CFG] <16> configured proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
    Jul 16 01:07:40 charon 05[IKE] <16> received proposals inacceptable
    Jul 16 01:07:40 charon 05[ENC] <16> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
    Jul 16 01:07:40 charon 05[NET] <16> sending packet: from 192.99.xxx.xxx[500] to 12.216.xxx.xxx[500] (36 bytes)</con2|11></con2|11></con1|10></con1|10></con2|11></con2|11></con1|10></con1|10></con2|11></con2|11></con2|11></con2|11></con1|10></con1|10></con2|11></con2|11></con2|11></con2|11>



  • I just updateted my NTP settings.  Disable time sync in the VM (pfsense 2.3) and rebooted