Re: [m0n0wall] Dropped Traffic on IPSec VPN after switching ISPs

From:	Jim Spaloss <jspaloss at gmail dot com>
To:	Mark Wass <mark dot wass at gmail dot com>, m0n0wall list <m0n0wall at lists dot m0n0 dot ch>
Subject:	Re: [m0n0wall] Dropped Traffic on IPSec VPN after switching ISPs
Date:	Tue, 12 Apr 2011 16:46:18 -0400
On Tue, Apr 12, 2011 at 9:56 AM, Mark Wass <mark dot wass at gmail dot com> wrote:

> I don't mean to put down monowall, it's a great product! But sounds like it
> may be time to look at using Pfsense and having a Site-to-Site OpenVPN
> tunnel, they just work nicely!
>
>
> On Tue, Apr 12, 2011 at 8:03 AM, Jim Spaloss <jspaloss at gmail dot com> wrote:
>
>> Hello all,
>>
>> I have a m0n0wall to m0n0wall VPN IPSec VPN that worked wonderfully for
>> several years. The link is between two nursing home facilities that are
>> about 100 miles apart. One has an 8M/2M cable modem service (Comcast), the
>> other had a 1.5M/384K DSL service (Verizon). Both sides have static IPs.
>>
>> I finally got the management to agree switch out the DSL for a much faster
>> 30M/5M Cable Service (Optimum) on the one side. However, after switching,
>> my
>> users immediately began to complain about dropped/slow connections across
>> the VPN, and "I thought this was supposed to be faster."
>>
>> I tried allowing fragmented IPSec traffic, but that really didn't help.
>>
>> I began experimenting with lowering the MTU across the tunnel, and found
>> that a significant portion of my traffic was being dropped. The sweet spot
>> seems to be 1418 (1419 drops some traffic). I went searching for a way
>> to permanently lower the tunnel's MTU, but all I could find was a post
>> where
>> the recommendation was to lower the MTU of the WAN interface via ifconfig
>> in
>> a <shellcmd> tag. That seems to make the connection better in my initial
>> testing, but I can't help but think that there is a better way.
>>
>> Most of my user base is in Comcast Territory so I have little experience
>> with Optimum online. I've never had to change a MTU setting on Comcast
>> before. Can anyone tell me if this is normal for Optimum Online? (Cisco
>> Router + Cable Modem w/ 5 Static IPs)
>>
>> I should note that I can connect in to either facility via PPTP and in
>> both
>> cases it is quite fast. Both facilities also show no issues when I try
>> running a bandwidth test like the one at www.speakeasy.net/speedtest.
>>
>> I'll post back tomorrow after the users get back on and I'll have a better
>> idea of whether or not lowering the MTU on the WAN interface worked.
>>
>> Thanks,
>>
>> Jim
>>
>> P.S.
>> Both M0n0walls are identical hardware:
>> Generic PC
>> Sempron 2600+ CPU
>> 256MB RAM
>> 3x Intel Pro1000 PCI adapters + 1 VIA Rhine (On Board)
>> 32MB CF Card
>>
>
>
Thanks for the quick reply Mark. I do appreciate the advice. I am running
PFSense in my office, and at few select clients' sites and it's also a great
product. I'll certainly consider switching to an SSL VPN if I can't get this
issue resolved. In your experience, does OpenVPN handle packet loss or
fragmentation better than IPSec?

That said, I have m0n0wall deployed at quite a few locations, many of which
have been have been working reliably with IPSec tunnels for several years.
This location that I'm dealing with the issue in was trouble-free for
several years over IPSec, right until until we switched from DSL to cable.

This issue may very well be unrelated to M0n0wall or IPSec, and I probably
will pursue it with the ISP. The only reason why I haven't so far, is that
the same ping command that loses 50% traffic over the tunnel, doesn't drop
any when going out to an external web site like Google, and I've have no
freeze-ups, or disconnects when connecting to the site via PPTP. That's what
has me stumped.

There are some brilliant people on this list that I've learned quite a bit
from, and I'm hoping that one of them might be able to shed some light on my
strange (at least to me) problem.

Thanks again.

Jim