IPsec Site to Site - Strange behavior
-
Hi everyone,
I have 5 locations all connected to each other through IPsec Site to Site VPN. All sites have pfSense 2.2.4 running on VMWare virtual machines.
Locations are: 3 in Germany, one in US and one in China.
All site to site connections are running very well except one. All the site to site connections are configured the same. The problem I have is only with the connection from the Headquarter in Germany to our production facility in China.
This IPsec connection is established but I have a lot of packet loss and it´s very slow. I did a parallel ping on the external interface and on the interface of an internal server (through IPsec VPN).
Almost no packet loss on the external interface (public IP on the firewall), but through the tunnel it is more than 50%. I made the same from the other 3 sites (Ping to external and internal interface in China) and there is no difference in packet loss. Also no packet loss when I ping the other 3 sites from headquarter. I did all this tests in the same time to make sure bandwith is not the problem.Any idea why this particular connection is so slow?
Thanks in advance
Ivo
-
Have you tried messing with MSS/MTU settings? Could be some fragmentation issue when sending through the tunnel.
-
Any idea why this particular connection is so slow?
Likely the great firewall of China. They drop a lot of encrypted traffic. You may or may not be able to keep a VPN up to there with any degree of reliability without jumping through hoops.
The MSS clamping suggestion is worth trying at least, but the fact you're dropping pings inside the tunnel and not outside proves that's not the only problem as pings are small enough that they won't encounter any such issues.