Poor IPSec performance
-
What are your IP's for your pfSense LAN and L3 switches? what is the Subnet Mask used?
-
PC1–- Switch1---pfs1---pfs2---Switch2---PC2
Net between PC1 and Switch1 is 172.16.100.0/24
Net between Switch1 and pfs1 is 192.168.42.4/30
Net between pfs1 and pfs2 is 192.168.42.0/30
Net between pfs2 and Switch2 is 172.16.10.0/24
Net between PC2 and Switch2 is 172.16.65.0/26(All this i very simple put in terms of my real production net on the switch2 side)
Remember that Switch2 acts as a gw for the internet also.
My IPSec config for the networks is:
pfs1:
Local net = 172.16.100.0/24
Remote net = 0.0.0.0/0Interface = WAN
Remote gw = 192.168.42.1pfs2:
Local net = 0.0.0.0/0
Remote net = 172.16.100.0/24Interface = WAN
Remote gw = 192.168.42.2Hopes this can give you an idea.
Again with the IPSec turned off everything runs as you would expect. With IPSec turned on pings comes throug but when you starts to move larger amounts of data nothings happens.
Cheers
Ole -
Couple of things….
Why do you have 0.0.0.0/0 listed?
Also it looks like you are using multiple subnets behind your pfsense. Either try creating static routes or changing the LAN to /16.
Net between pfs2 and Switch2 is 172.16.10.0/24
Net between PC2 and Switch2 is 172.16.65.0/26 -
I have 0.0.0.0/0 liste because I want all traffic encrypted between the two pfsense machines.
-
Is this just a test or is this a prod enviroment? Why are you directly connecting the 2 pfSense boxes to each other? is this a point2point tunnel? Do you want internet requests to go through the IPSEC tunnel? Have you tried specifying the correct subnet rather than 0.0.0.0/0? Did you modify the Outbound NAT? You might be having a conflict with the built-in NAT trying to send anything not specified out the WAN rather than the ipsec tunnel.
-
It is suppose to go in the production environment.
The 2 pfsense boxes are connected via a L2 connection with the soul purpose of encrypting all traffic between them.
I have tried only having the 172.16.10.0/24 net behind pfs2 and only 172.16.100.0/26 behind pfs1. With requests from one net to the other icmp goes through. No problem. I can telnet through. But if I do a "show log" on the switch I'm telnetting to it briefly starts and then comes to a halt. This is also true if I connect to a windows share. A small amount of traffic is being sendt and the nothing.
Again all works without IPSec.
Modyfied::
I should also menthion that all packet filtering and NAT is turned off.
I was thinking about "Bypass firewall rules for traffic on the same interface", " Block RFC1918 Private Networks" and "Block bogon networks:" options. Can they play a part?
-
Another discovery I made right now is that when ever the length of an ESP packet is 1480 everything stops. The next line in a tcpdump is always a esp (in lower case). See also print out.
Can it be the MTU in IPsec?
13:00:47.407446 IP 192.168.42.2 > 192.168.42.1: ESP(spi=0x01e083a4,seq=0x3), length 1480
13:00:47.407450 IP 192.168.42.2 > 192.168.42.1: esp -
I have now performed a ping test where I tried to increase the packet size. When a packet must be fragmented the problem appears.
Does this make sense?
Modifyed::
The max packet size I can ping with and get an answer is 1410. This results in a ESP packet of 1476. Anything larger than that, results in a ESP packet of 1480 and no data is coming through.
tcpdump -vv
Does not go through:
13:19:19.391590 IP (tos 0x0, ttl 64, id 21771, offset 0, flags [+], proto ESP (50), length 1500) 192.168.42.1 > 192.168.42.2: ESP(spi=0x045c0bdd,seq=0xa), length 1480
13:19:19.391593 IP (tos 0x0, ttl 64, id 21771, offset 1480, flags [none], proto ESP (50), length 32) 192.168.42.1 > 192.168.42.2: espGoes through:
13:19:23.807651 IP (tos 0x0, ttl 64, id 49629, offset 0, flags [none], proto ESP (50), length 1496) 192.168.42.1 > 192.168.42.2: ESP(spi=0x045c0bdd,seq=0xb), length 1476 -
Perhaps a "esp_frag 552;" in the racoon.conf will help on this issue but I don't know how to add it to that conf file permanent. Every time I reload racoon the line disappears from the conf file.
Does anyone know if " esp_frag 552;" will help on this issue?
-
Does anyone have any idea on how to fix this issue?
-
Could you upgrade to 1.2.3 http://blog.pfsense.org/?p=377
-
Sure. How do I get a hold off it?
-
http://snapshots.pfsense.org/FreeBSD7/RELENG_1_2/
-
Upgraded to 1.2.3 with no success. Still the same problem :-[
Can it be a HW failure or HW incompatibility?
I've tried a cross-over cable between the two servers with 1000baseTX. I've tried to force the interfaces to 100baseTX with no success and I've tried placing a switch in between. All with the same result.
-
did that racoon config helped you ?
It seems like pmtu discovery problem. Can you take an tcpdump output file of 1min of traffic and attach here either on the enc0 interface and LAN and wan ones -
I was not able to make the changes to the racoon config. It's overwriten every time racoon starts.
I will make a tcpdump asap and attach it here.
-
Here is the dump from the wan interface on pfs1.
I'm not getting any packages on enc0.
I've updated both boxes to 1.2.3 20090224-0050
-
Has anyone any idea?
-
Commercial support might be the way to go
-
Hi Olejak,
have you resolved the problem?
Just interesting…
Actually it is normal for large packets:
13:00:47.407446 IP 192.168.42.2 > 192.168.42.1: ESP(spi=0x01e083a4,seq=0x3), length 1480
13:00:47.407450 IP 192.168.42.2 > 192.168.42.1: espI am just wondering whether you receive the same two packets on the other end? I.e. if it is a trace from FW1 do you see the same packets on FW2?