[ previous ] [ next ] [ threads ]
 From:  Ludvik Roubicek <ludvik at roubicek dot net>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Problem with slow and nonreliable IPSec tunnel
 Date:  Tue, 18 Jun 2013 04:31:00 +0200

I have found finally the main cause of the problem - 3rd network 
interface enabled in Site 2. But not the bug of course. On one end (Site 
2) I had enabled all 3 network interfaces and their network was divided 
to office and shop. On the other end (Site 1) I had the same board (ALIX 
2D3) but only 2 interfaces enabled.

Just repeating: When connecting from PC2 (office network) in Site 2 thru 
tunnel to the PC1 in Site 1 using the RDP, it crashed many times (half 
of screen loaded, next connection attempt, second half, sometimes 
finished on 5th or 10th attempt). It was working fine when connecting 
from PC2 to PC1 (opposite direction). When I disabled the tunnel and 
used PPTP from PC1 to Site 2, it was working fine and 2â3 times faster 
on the same connection (measured by copying large file between sites).

CPU usage on both ends was still 10 â 15 percent. All traffic was 
allowed on the firewall.

When I joined both the networks in Site 2 together and disabled the 
LAN2, it started to work. Not breaking the RDP anymore. The file 
transfer speed was still the same (I didn't have time to test it more 
than few minutes), but the communication was reliable.

I'm using the 

I just wanted you to know about the problem and resolution.
Thank you all for your help.


Dne 30.5.2013 8:07, Ludvik Roubicek napsal(a):
> Hello,
> I have problem with 2 m0n0walls running on ALIX's configured to 
> connect thru IPSec tunnel each other.
> The problem might be of course between their providers or let's say 
> providers networks (some traffic shaping and so on).
> Brief info:
> Site1
> LAN, PPTP VPN, IPSec to 2nd site
> Connectivity: 50Mbit/15Mbit, Provider 1
> There is PC1 in LAN, Windows 7 Pro.
> Site2
> LAN, LAN2, PPTP VPN, IPSec to 1st site
> Connectivity: 8Mbit/8Mbit, Provider 2
> There is PC2 in LAN, Windows 7 Pro.
> Site3 - connected only using PPTP VPN on demand
> Connectivity: 30Mbit/30Mbit (shared, typically 10/10Mbps), Provider 3.
> There is my desktop, PC3, Win 7 HP.
> All the sites are geographically different with different providers. 
> But the Provider 1 and Provider 2 are somehow related. Provider 2 buys 
> connectivity from another company belonging to UPC family. And the 
> Provider 1 is direct UPC.
> IPSec tunnel is set between Site1 LAN and Site2 LAN1. Tunnel is up 
> very quickly, pings over tunnel (Site1-Site2) are not so bad (about 
> 15ms), no lost of packets.
> Connecting from Site 3 (PPTP VPN)
> There is no problem. Everything works as expected. When I connect from 
> Site3 to one of the other sites (using PPTP) and try to 
> upload/download 200MB file (ISO image) from/to remote computers, it 
> runs 750kB/s to 1MB/s without any problems. No disruption, data lost 
> etc. RDP works to both PC1 and PC2 correctly.
> *The problem - connecting between Site 1 and Site 2 (IPSec tunnel)*
> The problems come when I connect using the IPSec tunnel. So when 
> copying from PC1 to PC2 and vice versa.
> The upload/download speed is about 250 - 350 kB/s and it's very 
> unreliable. Sometimes I cannot copy at all, but it happens rarely.
> When I try to connect from *PC2 to PC1 using RDP*, I'm kicked off once 
> I need to move larger data using the RDP, for example when I open 
> remotely webpage with graphics or some local picture). I have to 
> reconnect 4 times till I see whole the picture. So it's able to 
> transfer small amount of data. That's the main problem.
> And what makes me crazy is that when I connect from *PC1 to PC2 using 
> the RDP*, it works without any problems. Just slow.
> I have tried to change some parameters of the IPSec tunnel (e.g. 
> encryption algorithm) without success.
> The traffic over the IPSec tunnel is completely allowed on firewall. 
> There is no rule blocking it.
> The only thing I haven't tested yet is to disable the tunnel and 
> connect from PC1 to Site2 using the PPTP VPN.
> I'll give it a try today.
> All the 3 places are 80km far from each other what makes it much 
> harder to test if I need to do a change in cables and so on.
> Do you have any idea how to solve the problem? I've tried to check it 
> by Wireshark, but I cannot find something meaningfull. I know, that 
> Provider1 (UPC) limits somehow upload but I don't know how and how to 
> avoid the problem.
> I guess it's question of some small change or checkbox... :(
> Thanks a lot.
> Ludvik