Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IKEv2 Connects but internet is very slow

    Scheduled Pinned Locked Moved IPsec
    21 Posts 2 Posters 2.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      TimeBandit
      last edited by

      My Setup

      Brand new Netgate SG-3100 on 2.4.4 release 3
      3 VLANs - Home, IOT and Guest
      Using Resolver in forwarding mode with PFBlockerNG
      Using a dynamic IP Address example.duckdns.org

      Clients are an iPhone SE and an iPad Air 2.

      I followed the instructions at https://grokdesigns.com/pfsense-ikev2-for-ios-macos-1/ and am able to connect. When Phase 2 Local Network is set to Network 0.0.0.0/0 remote clients can access local computers and get the external IP of the server. However, internet access is very slow.

      Things I have tried:

      -Adding a domain override from the VPN's virtual address subnet to the address of the pfsense box.
      -Turning off PFBlockerNG

      Seems like a DNS problem but I'm not sure what to do next to try to diagnose the issue.

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Seems like a DNS problem but I'm not sure what to do next to try to diagnose the issue.

        Debug DNS? What servers are the clients given, do the resolve names, etc.

        There are some network diagnostic tools for iOS. Hurricane Electric maintains one called Network Tools, there is another one also called Network Tools, there is one called iNetTools.

        In general when I need to troubleshoot something like this I would just connect to the IPsec using my macbook so I'd have a full suite of tools to use.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • T
          TimeBandit
          last edited by

          I have Network Analyzer Lite on my iphone. On its info page, I can see that the DNS Server is the address of my pfsense box and the external IP is the IP address of my WAN internet connection which is what I would expect. One thing I noticed that is not showing up is a block of information called VPN Information. That block of information is present when I connect via OpenVPN and alternatively when I turn off IPSEC in pfsense and forward the IPSEC ports to my Synology box and connect to its IPSEC VPN server. That VPN information contains IP Address (of the client), Subnet Mask and any IPv6 Addresses. Those two VPN configurations work well. When connected to the IKEv2 vpn at issue here, I can see in Settings/VPN/info for this particular configuration that it is getting an IP address from the virtual address pool configured in mobile clients.

          Going over to HE tools, when I do a traceroute to google.com or yahoo.com Hop 1 just shows a "-" when connected to the IKEv2 vpn. On OpenVPN and Synology IPSEC, I see the ip address of the pfsense box in hop 1. After that its the same route.

          The behavior I am seeing when trying to load a webpage is an initial long pause, then most of the page loads and the blue progress line in the address bar stops at about 40% across and then it appears to be trying to load more for a few minutes until it times out.

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            IDK. I would use a laptop to troubleshoot, not a phone.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • T
              TimeBandit
              last edited by

              I can try with my wife's macbook. What steps would you recommend?

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                General network troubleshooting. I would first use dig or drill to be sure the DNS configuration was sane and doing what it expected.

                Look at the routing table to be sure it is sane.

                Etc.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • T
                  TimeBandit
                  last edited by

                  Dig and nslookup both work and are using the correct local address for DNS Resolver - 192.168.20.1

                  The routing table seems to be where the problem is.

                  ScreenshotRT.png

                  10.7.4.1 is the Virtual Address Pool from Mobile Clients.

                  No idea where the 172.20.10.X stuff is coming from.

                  Next steps?

                  1 Reply Last reply Reply Quote 0
                  • DerelictD
                    Derelict LAYER 8 Netgate
                    last edited by

                    You'll have to talk to someone more familiar with Windows IKEv2 than I am.

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • T
                      TimeBandit
                      last edited by

                      This was from a macbook. Thanks for trying.

                      1 Reply Last reply Reply Quote 0
                      • DerelictD
                        Derelict LAYER 8 Netgate
                        last edited by

                        No need to get nasty.

                        The font threw me, and the fact that it's a screen shot instead of a copy/paste. We usually get that from Windows users.

                        Chattanooga, Tennessee, USA
                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        1 Reply Last reply Reply Quote 0
                        • T
                          TimeBandit
                          last edited by

                          No nasty intent at all, sorry if it came across that way. Was being sincere - I appreciate you taking the time to at least point me in the right direction.

                          1 Reply Last reply Reply Quote 0
                          • DerelictD
                            Derelict LAYER 8 Netgate
                            last edited by

                            What version of macos?

                            Chattanooga, Tennessee, USA
                            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                            Do Not Chat For Help! NO_WAN_EGRESS(TM)

                            1 Reply Last reply Reply Quote 0
                            • T
                              TimeBandit
                              last edited by

                              Mojave 10.14.5

                              Your font instincts were pretty good though. I output the netstat results to a file and then opened it in the text editor on my windows machine and when I tried to paste it to the forum the columns were all messed up so I went with a screenshot so it would be easily readable.

                              1 Reply Last reply Reply Quote 0
                              • DerelictD
                                Derelict LAYER 8 Netgate
                                last edited by

                                what is the output of:

                                scutil --dns when you are connected to the VPN?

                                Chattanooga, Tennessee, USA
                                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                1 Reply Last reply Reply Quote 0
                                • T
                                  TimeBandit
                                  last edited by

                                  DNS configuration

                                  resolver #1
                                  nameserver[0] : 192.168.20.1
                                  if_index : 16 (ipsec0)
                                  flags : Request A records
                                  reach : 0x00000002 (Reachable)

                                  resolver #2
                                  domain : local
                                  options : mdns
                                  timeout : 5
                                  flags : Request A records
                                  reach : 0x00000000 (Not Reachable)
                                  order : 300000

                                  resolver #3
                                  domain : 254.169.in-addr.arpa
                                  options : mdns
                                  timeout : 5
                                  flags : Request A records
                                  reach : 0x00000000 (Not Reachable)
                                  order : 300200

                                  resolver #4
                                  domain : 8.e.f.ip6.arpa
                                  options : mdns
                                  timeout : 5
                                  flags : Request A records
                                  reach : 0x00000000 (Not Reachable)
                                  order : 300400

                                  resolver #5
                                  domain : 9.e.f.ip6.arpa
                                  options : mdns
                                  timeout : 5
                                  flags : Request A records
                                  reach : 0x00000000 (Not Reachable)
                                  order : 300600

                                  resolver #6
                                  domain : a.e.f.ip6.arpa
                                  options : mdns
                                  timeout : 5
                                  flags : Request A records
                                  reach : 0x00000000 (Not Reachable)
                                  order : 300800

                                  resolver #7
                                  domain : b.e.f.ip6.arpa
                                  options : mdns
                                  timeout : 5
                                  flags : Request A records
                                  reach : 0x00000000 (Not Reachable)
                                  order : 301000

                                  DNS configuration (for scoped queries)

                                  resolver #1
                                  nameserver[0] : 172.20.10.1
                                  if_index : 5 (en0)
                                  flags : Scoped, Request A records
                                  reach : 0x00020002 (Reachable,Directly Reachable Address)

                                  resolver #2
                                  nameserver[0] : 192.168.20.1
                                  if_index : 16 (ipsec0)
                                  flags : Scoped, Request A records
                                  reach : 0x00000002 (Reachable)

                                  1 Reply Last reply Reply Quote 0
                                  • DerelictD
                                    Derelict LAYER 8 Netgate
                                    last edited by Derelict

                                    So when you're connected to the VPN do both of these work quickly? (one sec)

                                    dig @172.20.20.1 www.google.com

                                    dig @192.168.20.1 www.google.com

                                    Chattanooga, Tennessee, USA
                                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                    1 Reply Last reply Reply Quote 0
                                    • T
                                      TimeBandit
                                      last edited by

                                      dig @172.20.20.1 www.google.com

                                      Connection Times Out

                                      dig @192.168.20.1 www.google.com

                                      Responds immediately <200ms

                                      1 Reply Last reply Reply Quote 0
                                      • T
                                        TimeBandit
                                        last edited by

                                        Just in case you had a typo I also ran

                                        dig @172.20.10.1 www.google.com

                                        this responded under 200ms as well.

                                        1 Reply Last reply Reply Quote 0
                                        • DerelictD
                                          Derelict LAYER 8 Netgate
                                          last edited by

                                          Yeah that was a typo. Sorry. If both name servers respond in the same time frame (200ms is nothing to write home about) then I guess it's not DNS. If you do not NEED the clients to use a DNS server on the other side of the VPN, I don't think I would push it to them.

                                          What, specifically, are you seeing?

                                          Chattanooga, Tennessee, USA
                                          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                          Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                          1 Reply Last reply Reply Quote 0
                                          • T
                                            TimeBandit
                                            last edited by

                                            My reason for pushing DNS to the other side is so that I can connect to machines on the other side using the hostnames stored in DNS Resolver and that part works. It's the internet connection that's the problem.

                                            The thing that I can't get my head around is where is 172.20.10.1 coming from, as far as I know I didn't set it up.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.