Full Duplex breaks IPSec?



  • Hi,
    ive got a strange Problem hopfully somebody can help.

    We have a Pfsense in the Office and one Pfsense as Endpoint in an Testlab conncted through IPSEC. This worked as expected.
    We also access the Testlab through an PPTP Tunnel, also works great but i recognized slow throughput. With a deeper look i found that the WAN Port is not set to Full Duplex.

    I changed this with:
    ifconfig fxp0 139.25.252.100 media 100BaseTX mediaopt full-duplex
    (I have no control over the switch)

    PPTP-Throughput is now fine, but i don't get a connection with IPSec any longer…
    After a reboot of the FW> Wanport is no longer full-duplex > Ipsec works again

    Could somebody help me out where to have a look?

    Regards Tom



  • Sorry to ask again,
    has nobody an idea wher to begin to troubleshoot? I am not very expierenced with IPSEC but i don't get why Duplex/fullduplex makes a difference…

    Like i said before: Config works when one side is 100baseTX fullduplex the other one 100baseTX

    and i change both having 100baseTX fullduplex its not working.

    As far as i can see from the logs it seems that the tunnel is established but i can't get a ping/traffic through...

    Regards
    Thomas



  • Most likely because by forcing full duplex you're creating a duplex mismatch, which will cause all kinds of problems.



  • Hi,

    Thanks for your reply.
    The only thing wjich braks is IPSEC… Normal Access through NAT or PPTP Tunnel is working with a good Data Throughput...

    If i had a duplex missmatch, i would suspect nothing is working...



  • Most hardware now days will continue to work even with duplex mismatch. What errors do you get in IPsec logs?



  • Just an Update, i solved my Problem…

    The IPSEC Logfiles were OK, no errors Connected but no traffic

    the Problem was the one site was configured for DHCP not static...


Locked