Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Extreem low throughput

    Scheduled Pinned Locked Moved IPsec
    1 Posts 1 Posters 912 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      PDJ
      last edited by

      I have a problem with IPSEC.
      I have configured a IPSEC tunnel with GRE (I need to do some special routing, so I need GRE)
      Everything works, but I get very low throughput on the IPSEC/GRE tunnel, both ends are connected direct with a gigabit connection.
      When I copy a large file over the network, I get only 4mbit with spices to 20mbit but a very unstable throughput at the same time I have a ping running from another machine and it's going from steady 1ms to jumpy 4 to 20ms.
      Logfiles of IPSEC/Racoon say nothing special, just that the tunnel is setup right

      Sep 8 07:58:41 	racoon: [IPSEC FW1]: INFO: IPsec-SA expired: ESP/Transport 172.16.8.17[500]->172.16.8.22[500] spi=109112871(0x680ee27)
      Sep 8 07:58:41 	racoon: [IPSEC FW1]: INFO: IPsec-SA established: ESP 172.16.8.22[500]->172.16.8.17[500] spi=127719491(0x79cd843)
      Sep 8 07:58:41 	racoon: [IPSEC FW1]: INFO: IPsec-SA established: ESP 172.16.8.22[500]->172.16.8.17[500] spi=160971926(0x9983c96)
      Sep 8 07:58:43 	racoon: [IPSEC FW2]: INFO: IPsec-SA expired: ESP 172.16.8.38[500]->172.16.8.33[500] spi=146599732(0x8bcef34)
      Sep 8 07:58:43 	racoon: [IPSEC FW2]: INFO: IPsec-SA expired: ESP/Transport 172.16.8.33[500]->172.16.8.38[500] spi=228854563(0xda40b23)
      Sep 8 07:58:43 	racoon: [IPSEC FW2]: INFO: respond new phase 2 negotiation: 172.16.8.38[500]<=>172.16.8.33[500]
      Sep 8 07:58:43 	racoon: [IPSEC FW2]: INFO: IPsec-SA established: ESP 172.16.8.38[500]->172.16.8.33[500] spi=15753609(0xf06189)
      Sep 8 07:58:43 	racoon: [IPSEC FW2]: INFO: IPsec-SA established: ESP 172.16.8.38[500]->172.16.8.33[500] spi=164379843(0x9cc3cc3)
      Sep 8 08:46:42 	racoon: [IPSEC FW1]: INFO: IPsec-SA expired: ESP 172.16.8.22[500]->172.16.8.17[500] spi=160971926(0x9983c96)
      Sep 8 08:46:42 	racoon: [IPSEC FW1]: INFO: initiate new phase 2 negotiation: 172.16.8.22[500]<=>172.16.8.17[500]
      Sep 8 08:46:42 	racoon: [IPSEC FW1]: INFO: IPsec-SA expired: ESP/Transport 172.16.8.17[500]->172.16.8.22[500] spi=127719491(0x79cd843)
      Sep 8 08:46:42 	racoon: [IPSEC FW1]: INFO: IPsec-SA established: ESP 172.16.8.22[500]->172.16.8.17[500] spi=42417108(0x2873bd4)
      Sep 8 08:46:42 	racoon: [IPSEC FW1]: INFO: IPsec-SA established: ESP 172.16.8.22[500]->172.16.8.17[500] spi=117860727(0x7066977)
      Sep 8 08:46:44 	racoon: [IPSEC FW2]: INFO: respond new phase 2 negotiation: 172.16.8.38[500]<=>172.16.8.33[500]
      Sep 8 08:46:44 	racoon: [IPSEC FW2]: INFO: IPsec-SA established: ESP 172.16.8.38[500]->172.16.8.33[500] spi=162027152(0x9a85690)
      Sep 8 08:46:44 	racoon: [IPSEC FW2]: INFO: IPsec-SA established: ESP 172.16.8.38[500]->172.16.8.33[500] spi=2195156(0x217ed4)
      Sep 8 08:46:44 	racoon: [IPSEC FW2]: INFO: IPsec-SA expired: ESP 172.16.8.38[500]->172.16.8.33[500] spi=164379843(0x9cc3cc3)
      Sep 8 08:46:44 	racoon: [IPSEC FW2]: INFO: IPsec-SA expired: ESP/Transport 172.16.8.33[500]->172.16.8.38[500] spi=15753609(0xf06189)
      Sep 8 09:34:43 	racoon: [IPSEC FW1]: INFO: IPsec-SA expired: ESP 172.16.8.22[500]->172.16.8.17[500] spi=117860727(0x7066977)
      Sep 8 09:34:43 	racoon: [IPSEC FW1]: INFO: initiate new phase 2 negotiation: 172.16.8.22[500]<=>172.16.8.17[500]
      Sep 8 09:34:43 	racoon: [IPSEC FW1]: INFO: IPsec-SA expired: ESP/Transport 172.16.8.17[500]->172.16.8.22[500] spi=42417108(0x2873bd4)
      Sep 8 09:34:43 	racoon: [IPSEC FW1]: INFO: IPsec-SA established: ESP 172.16.8.22[500]->172.16.8.17[500] spi=205171083(0xc3aa98b)
      Sep 8 09:34:43 	racoon: [IPSEC FW1]: INFO: IPsec-SA established: ESP 172.16.8.22[500]->172.16.8.17[500] spi=63644472(0x3cb2338)
      Sep 8 09:34:45 	racoon: [IPSEC FW2]: INFO: IPsec-SA expired: ESP 172.16.8.38[500]->172.16.8.33[500] spi=2195156(0x217ed4)
      Sep 8 09:34:45 	racoon: [IPSEC FW2]: INFO: IPsec-SA expired: ESP/Transport 172.16.8.33[500]->172.16.8.38[500] spi=162027152(0x9a85690)
      Sep 8 09:34:45 	racoon: [IPSEC FW2]: INFO: respond new phase 2 negotiation: 172.16.8.38[500]<=>172.16.8.33[500]
      Sep 8 09:34:45 	racoon: [IPSEC FW2]: INFO: IPsec-SA established: ESP 172.16.8.38[500]->172.16.8.33[500] spi=55345065(0x34c7fa9)
      Sep 8 09:34:45 	racoon: [IPSEC FW2]: INFO: IPsec-SA established: ESP 172.16.8.38[500]->172.16.8.33[500] spi=107959198(0x66f539e)
      Sep 8 10:21:15 	racoon: [IPSEC FW1]: INFO: renegotiating phase1 to 172.16.8.17 due to active phase2
      Sep 8 10:21:15 	racoon: [IPSEC FW1]: INFO: respond new phase 1 negotiation: 172.16.8.22[500]<=>172.16.8.17[500]
      Sep 8 10:21:15 	racoon: INFO: begin Aggressive mode.
      Sep 8 10:21:15 	racoon: INFO: received broken Microsoft ID: FRAGMENTATION
      Sep 8 10:21:15 	racoon: INFO: received Vendor ID: DPD
      Sep 8 10:21:15 	racoon: [IPSEC FW1]: INFO: ISAKMP-SA established 172.16.8.22[500]-172.16.8.17[500] spi:25c84f02badbf0b0:d128d5730e184f7c
      Sep 8 10:21:16 	racoon: [IPSEC FW2]: INFO: renegotiating phase1 to 172.16.8.33 due to active phase2
      Sep 8 10:21:16 	racoon: [IPSEC FW2]: INFO: respond new phase 1 negotiation: 172.16.8.38[500]<=>172.16.8.33[500]
      Sep 8 10:21:16 	racoon: INFO: begin Aggressive mode.
      Sep 8 10:21:16 	racoon: INFO: received broken Microsoft ID: FRAGMENTATION
      Sep 8 10:21:16 	racoon: INFO: received Vendor ID: DPD
      Sep 8 10:21:16 	racoon: [IPSEC FW2]: INFO: ISAKMP-SA established 172.16.8.38[500]-172.16.8.33[500] spi:a9767b2315e70da1:b16ecafbf951e190
      Sep 8 10:22:44 	racoon: [IPSEC FW1]: INFO: IPsec-SA expired: ESP 172.16.8.22[500]->172.16.8.17[500] spi=63644472(0x3cb2338)
      Sep 8 10:22:44 	racoon: [IPSEC FW1]: INFO: initiate new phase 2 negotiation: 172.16.8.22[500]<=>172.16.8.17[500]
      Sep 8 10:22:44 	racoon: [IPSEC FW1]: INFO: IPsec-SA expired: ESP/Transport 172.16.8.17[500]->172.16.8.22[500] spi=205171083(0xc3aa98b)
      Sep 8 10:22:44 	racoon: [IPSEC FW1]: INFO: IPsec-SA established: ESP 172.16.8.22[500]->172.16.8.17[500] spi=64373214(0x3d641de)
      Sep 8 10:22:44 	racoon: [IPSEC FW1]: INFO: IPsec-SA established: ESP 172.16.8.22[500]->172.16.8.17[500] spi=30180720(0x1cc8570)
      Sep 8 10:22:46 	racoon: [IPSEC FW2]: INFO: IPsec-SA expired: ESP 172.16.8.38[500]->172.16.8.33[500] spi=107959198(0x66f539e)
      Sep 8 10:22:46 	racoon: [IPSEC FW2]: INFO: IPsec-SA expired: ESP/Transport 172.16.8.33[500]->172.16.8.38[500] spi=55345065(0x34c7fa9)
      Sep 8 10:22:46 	racoon: [IPSEC FW2]: INFO: respond new phase 2 negotiation: 172.16.8.38[500]<=>172.16.8.33[500]
      Sep 8 10:22:46 	racoon: [IPSEC FW2]: INFO: IPsec-SA established: ESP 172.16.8.38[500]->172.16.8.33[500] spi=5852710(0x594e26)
      Sep 8 10:22:46 	racoon: [IPSEC FW2]: INFO: IPsec-SA established: ESP 172.16.8.38[500]->172.16.8.33[500] spi=155524182(0x9451c56)
      

      The MSS clamping is set to 1360
      MTU size is set to 1412
      I have played with both settings, but no improvement.

      drawing:

      What's not in the drawing, the GRE tunnel runs over the VLANS.
      from the 3rd firewall there are 2 ipsec tunnels, routing is policy based and the redundancy is done by a gateway failover (gw1: 172.16.9.1, gw2: 172.16.9.17)

      My first setup was ipsec to the 172.16.8.3 CARP adress, but that didn't work very well IPSEC and CARP.

      Somebody knows what's wrong in here?

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.