[ previous ] [ next ] [ threads ]
 From:  Ludvik Roubicek <ludvik at roubicek dot net>
 To:  Jack <jack at jbyte dot org>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Problem with slow and nonreliable IPSec tunnel
 Date:  Fri, 31 May 2013 00:45:43 +0200
Dne 30.5.2013 9:30, Jack napsal(a):
> Am 30.05.2013 08:07, schrieb Ludvik Roubicek:
>> Hello,
>> I have problem with 2 m0n0walls running on ALIX's configured to 
>> connect thru IPSec tunnel each other.
>> The problem might be of course between their providers or let's say 
>> providers networks (some traffic shaping and so on).
>> Brief info:
>> Site1
>> LAN, PPTP VPN, IPSec to 2nd site
>> Connectivity: 50Mbit/15Mbit, Provider 1
>> There is PC1 in LAN, Windows 7 Pro.
>> Site2
>> LAN, LAN2, PPTP VPN, IPSec to 1st site
>> Connectivity: 8Mbit/8Mbit, Provider 2
>> There is PC2 in LAN, Windows 7 Pro.
>> Site3 - connected only using PPTP VPN on demand
>> Connectivity: 30Mbit/30Mbit (shared, typically 10/10Mbps), Provider 3.
>> There is my desktop, PC3, Win 7 HP.
>> All the sites are geographically different with different providers. 
>> But the Provider 1 and Provider 2 are somehow related. Provider 2 
>> buys connectivity from another company belonging to UPC family. And 
>> the Provider 1 is direct UPC.
>> IPSec tunnel is set between Site1 LAN and Site2 LAN1. Tunnel is up 
>> very quickly, pings over tunnel (Site1-Site2) are not so bad (about 
>> 15ms), no lost of packets.
>> Connecting from Site 3 (PPTP VPN)
>> There is no problem. Everything works as expected. When I connect 
>> from Site3 to one of the other sites (using PPTP) and try to 
>> upload/download 200MB file (ISO image) from/to remote computers, it 
>> runs 750kB/s to 1MB/s without any problems. No disruption, data lost 
>> etc. RDP works to both PC1 and PC2 correctly.
>> *The problem - connecting between Site 1 and Site 2 (IPSec tunnel)*
>> The problems come when I connect using the IPSec tunnel.  So when 
>> copying from PC1 to PC2 and vice versa.
>> The upload/download speed is about 250 - 350 kB/s and it's very 
>> unreliable. Sometimes I cannot copy at all, but it happens rarely.
>> When I try to connect from *PC2 to PC1 using RDP*, I'm kicked off 
>> once I need to move larger data using the RDP, for example when I 
>> open remotely webpage with graphics or some local picture). I have to 
>> reconnect 4 times till I see whole the picture. So it's able to 
>> transfer small amount of data. That's the main problem.
>> And what makes me crazy is that when I connect from *PC1 to PC2 using 
>> the RDP*, it works without any problems. Just slow.
>> I have tried to change some parameters of the IPSec tunnel (e.g. 
>> encryption algorithm) without success.
>> The traffic over the IPSec tunnel is completely allowed on firewall. 
>> There is no rule blocking it.
>> The only thing I haven't tested yet is to disable the tunnel and 
>> connect from PC1 to Site2 using the PPTP VPN.
>> I'll give it a try today.
>> All the 3 places are 80km far from each other what makes it much 
>> harder to test if I need to do a change in cables and so on.
>> Do you have any idea how to solve the problem? I've tried to check it 
>> by Wireshark, but I cannot find something meaningfull. I know, that 
>> Provider1 (UPC) limits somehow upload but I don't know how and how to 
>> avoid the problem.
>> I guess it's question of some small change or checkbox... :(
>> Thanks a lot.
>> Ludvik
> Hi Ludvik,
> Could it be that you have a MTU Issue? What Internet connections are 
> you using? DHCP, PPPoE, PPTP?
> Try some pings from Site1 to Site2 and vice versa.
> On Windows:
> ping other-site -f -l xxxx
> Place 1500 for x and go down until you get clear responces.
> Im wondering if you get different values on the sites.
> Best regards
> Jakob
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
Hi Jack,
I have lowered the MTU on both ends to 1400. Fragmented packets are 
allowed in advanced settings, firewall rules and tunnel configuration. 
They confirm that the connection is slightly faster now.
The ping response time ranges from 20ms to 200ms but there is no packet 
Actuallly I don't know the type of the connection, I have just ethernet 
on both ends with border IP adresses.
The problem with RDP persists and the speed of copying thru the tunnel 
is the same (about 250kB/s).