4. IKEv2 Connects but internet is very slow

IKEv2 Connects but internet is very slow

  • T

    My Setup

    Brand new Netgate SG-3100 on 2.4.4 release 3
    3 VLANs - Home, IOT and Guest
    Using Resolver in forwarding mode with PFBlockerNG
    Using a dynamic IP Address example.duckdns.org

    Clients are an iPhone SE and an iPad Air 2.

    I followed the instructions at https://grokdesigns.com/pfsense-ikev2-for-ios-macos-1/ and am able to connect. When Phase 2 Local Network is set to Network 0.0.0.0/0 remote clients can access local computers and get the external IP of the server. However, internet access is very slow.

    Things I have tried:

    -Adding a domain override from the VPN's virtual address subnet to the address of the pfsense box.
    -Turning off PFBlockerNG

    Seems like a DNS problem but I'm not sure what to do next to try to diagnose the issue.

    0
  • LAYER 8 Netgate

    Seems like a DNS problem but I'm not sure what to do next to try to diagnose the issue.

    Debug DNS? What servers are the clients given, do the resolve names, etc.

    There are some network diagnostic tools for iOS. Hurricane Electric maintains one called Network Tools, there is another one also called Network Tools, there is one called iNetTools.

    In general when I need to troubleshoot something like this I would just connect to the IPsec using my macbook so I'd have a full suite of tools to use.

    0
  • T

    I have Network Analyzer Lite on my iphone. On its info page, I can see that the DNS Server is the address of my pfsense box and the external IP is the IP address of my WAN internet connection which is what I would expect. One thing I noticed that is not showing up is a block of information called VPN Information. That block of information is present when I connect via OpenVPN and alternatively when I turn off IPSEC in pfsense and forward the IPSEC ports to my Synology box and connect to its IPSEC VPN server. That VPN information contains IP Address (of the client), Subnet Mask and any IPv6 Addresses. Those two VPN configurations work well. When connected to the IKEv2 vpn at issue here, I can see in Settings/VPN/info for this particular configuration that it is getting an IP address from the virtual address pool configured in mobile clients.

    Going over to HE tools, when I do a traceroute to google.com or yahoo.com Hop 1 just shows a "-" when connected to the IKEv2 vpn. On OpenVPN and Synology IPSEC, I see the ip address of the pfsense box in hop 1. After that its the same route.

    The behavior I am seeing when trying to load a webpage is an initial long pause, then most of the page loads and the blue progress line in the address bar stops at about 40% across and then it appears to be trying to load more for a few minutes until it times out.

    0
  • LAYER 8 Netgate

    IDK. I would use a laptop to troubleshoot, not a phone.

    0
  • T

    I can try with my wife's macbook. What steps would you recommend?

    0
  • LAYER 8 Netgate

    General network troubleshooting. I would first use dig or drill to be sure the DNS configuration was sane and doing what it expected.

    Look at the routing table to be sure it is sane.

    Etc.

    0
  • T

    Dig and nslookup both work and are using the correct local address for DNS Resolver - 192.168.20.1

    The routing table seems to be where the problem is.

    ScreenshotRT.png

    10.7.4.1 is the Virtual Address Pool from Mobile Clients.

    No idea where the 172.20.10.X stuff is coming from.

    Next steps?

    0
  • LAYER 8 Netgate

    You'll have to talk to someone more familiar with Windows IKEv2 than I am.

    0
  • T

    This was from a macbook. Thanks for trying.

    0
  • LAYER 8 Netgate

    No need to get nasty.

    The font threw me, and the fact that it's a screen shot instead of a copy/paste. We usually get that from Windows users.

    0
  • T

    No nasty intent at all, sorry if it came across that way. Was being sincere - I appreciate you taking the time to at least point me in the right direction.

    0
  • LAYER 8 Netgate

    What version of macos?

    0
  • T

    Mojave 10.14.5

    Your font instincts were pretty good though. I output the netstat results to a file and then opened it in the text editor on my windows machine and when I tried to paste it to the forum the columns were all messed up so I went with a screenshot so it would be easily readable.

    0
  • LAYER 8 Netgate

    what is the output of:

    scutil --dns when you are connected to the VPN?

    0
  • T

    DNS configuration

    resolver #1
    nameserver[0] : 192.168.20.1
    if_index : 16 (ipsec0)
    flags : Request A records
    reach : 0x00000002 (Reachable)

    resolver #2
    domain : local
    options : mdns
    timeout : 5
    flags : Request A records
    reach : 0x00000000 (Not Reachable)
    order : 300000

    resolver #3
    domain : 254.169.in-addr.arpa
    options : mdns
    timeout : 5
    flags : Request A records
    reach : 0x00000000 (Not Reachable)
    order : 300200

    resolver #4
    domain : 8.e.f.ip6.arpa
    options : mdns
    timeout : 5
    flags : Request A records
    reach : 0x00000000 (Not Reachable)
    order : 300400

    resolver #5
    domain : 9.e.f.ip6.arpa
    options : mdns
    timeout : 5
    flags : Request A records
    reach : 0x00000000 (Not Reachable)
    order : 300600

    resolver #6
    domain : a.e.f.ip6.arpa
    options : mdns
    timeout : 5
    flags : Request A records
    reach : 0x00000000 (Not Reachable)
    order : 300800

    resolver #7
    domain : b.e.f.ip6.arpa
    options : mdns
    timeout : 5
    flags : Request A records
    reach : 0x00000000 (Not Reachable)
    order : 301000

    DNS configuration (for scoped queries)

    resolver #1
    nameserver[0] : 172.20.10.1
    if_index : 5 (en0)
    flags : Scoped, Request A records
    reach : 0x00020002 (Reachable,Directly Reachable Address)

    resolver #2
    nameserver[0] : 192.168.20.1
    if_index : 16 (ipsec0)
    flags : Scoped, Request A records
    reach : 0x00000002 (Reachable)

    0
  • LAYER 8 Netgate

    So when you're connected to the VPN do both of these work quickly? (one sec)

    dig @172.20.20.1 www.google.com

    dig @192.168.20.1 www.google.com

    0
  • T

    dig @172.20.20.1 www.google.com

    Connection Times Out

    dig @192.168.20.1 www.google.com

    Responds immediately <200ms

    0
  • T

    Just in case you had a typo I also ran

    dig @172.20.10.1 www.google.com

    this responded under 200ms as well.

    0
  • LAYER 8 Netgate

    Yeah that was a typo. Sorry. If both name servers respond in the same time frame (200ms is nothing to write home about) then I guess it's not DNS. If you do not NEED the clients to use a DNS server on the other side of the VPN, I don't think I would push it to them.

    What, specifically, are you seeing?

    0
  • T

    My reason for pushing DNS to the other side is so that I can connect to machines on the other side using the hostnames stored in DNS Resolver and that part works. It's the internet connection that's the problem.

    The thing that I can't get my head around is where is 172.20.10.1 coming from, as far as I know I didn't set it up.

    0
  • LAYER 8 Netgate

    The looks like the ethernet LAN on the client.

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy