Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Internet slowness over VPN

    IPsec
    2
    3
    534
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • O
      owczi last edited by

      All,

      I have been dealing with a general TCP slowness issue when accessing the Internet while connected to my mobile IPSec endpoint.

      The network has got multiple tunnels in a hub-and-spoke scenario (IPSec + GRE + BGP). A mobile IPSec client connects to one of the hub nodes. Split tunneling is disabled, so once connected to the VPN, all traffic is tunneled, and source NAT is done for the VPN client address pool.

      When I'm connected, I have no issues with reaching any of the internal locations (vpn client -> (internet) -> hub -> (internet) -> spoke -> node) - data rates are what the network permits. My hub nodes are also running squid - download speeds via Squid are fine.

      However, when trying to reach an Internet location directly via the VPN client (web, anything TCP), I am seeing a horrible sequence of TCP retransmissions and duplicate ACKs: vpn client -> (internet) -> hub -> internet. I can only reach something like 10 kB/sec.

      First thing that came to my mind was MTU issues - however I have normalised MTU and TCP MSS across the whole network, including the WAN interface on the hub nodes - no issues, any intranet communication is fine, and as I said, browsing via Squid is also fine.

      Essentially the hub is bouncing my traffic via its WAN interface (encrypted ingress SYN, decrypted egress SYN, non-encrypted  ingress ACK, encrypted egress ACK, etc). Could this in itself be causing my issue? Could this be a prioritisation problem i.e. VPN traffic is contending with Internet traffic?

      I am using PfSense 2.3.2.

      Any ideas welcome.

      Thanks,
      owczi

      1 Reply Last reply Reply Quote 0
      • O
        owczi last edited by

        We have closure! After a really long time dealing with slow VPN client operation, it turned out that the problem was UDP checksums. "Disable hardware UDP checksums" solved all performance issues.

        1 Reply Last reply Reply Quote 0
        • K
          kejianshi last edited by

          I will keep that in mind as a possible bug for future builds when I am looking for issues.

          VPN performance is my number one most important thing.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post