"
Did you find a way to enable these notifications? I can't see a Notify button too.
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
#32
15.1 Legacy Series / [SOLVED] IPsec and TCP flows
April 05, 2015, 04:44:34 PM
The system is running version 15.1.8.3-c6240d38f (amd64). I have configured three interfaces - 1 LAN and two ISP lines. Currently a rule is sending all the traffic into the first line only which has a public static IPv4 address. Outbound NAT is set to automatic mode.
It seems to work okay until I tried to set up several IPsec tunnels. Most of them were connected although the interface shows that they are disconnected, but this is a known issue. The problem is that all the VPN connections are very unstable. When pinging remote hosts, there are no lost packets at all. However, when I log on using Remote Desktop the connection is lost every 30-35 seconds and it takes about 20 seconds to reconnect itself. The tunnel itself does not get disconnected - after my Remote Desktop session stops responding, I continue to receive ICMP echo replies. I have not tested with UDP traffic as I don't have an application that uses UDP. Additionally, RDP connections to the Internet directly work OK. This is what I have tested so far:
1. Changing IKE version - tunnels do not connect. Only one tunnel connects, but the other side is running pfSense which supports IKEv2. However the issue persists with IKEv2 too.
2. Disabling ISP balancing (I had previously configured ISP balancing but disabled it to troubleshoot the issue), enabling only ISP Failover to alternate line. The issue persists.
3. Setting Prefer older IPSec SAs. The issue persists.
4. Setting Do not install LAN SPD - unchecks itself automatically after Save and reloading the page. The issue persists.
5. Setting Enable TCP MSS clamping on VPN traffic - tried with 1200 and 1400 bytes, the issue still persists.
I also did a tcpdump for one of the tunnels during which I just typed some text in Notepad on the remote computer which looks like this:
When the RDP session stopped responding, this is what I captured:
So my side stops responding for a period, but I don't know why. The line quality is excellent, when plugging it into another router, there are no issues, the VPN connections are established successfully and operate normally. However I have to replace the old router with OPNsense.
I am very frustrated by this issue as I have been trying to work it out for weeks, but no result. Could someone help me with this, maybe I am missing something?
It seems to work okay until I tried to set up several IPsec tunnels. Most of them were connected
1. Changing IKE version - tunnels do not connect. Only one tunnel connects, but the other side is running pfSense which supports IKEv2. However the issue persists with IKEv2 too.
2. Disabling ISP balancing (I had previously configured ISP balancing but disabled it to troubleshoot the issue), enabling only ISP Failover to alternate line. The issue persists.
3. Setting Prefer older IPSec SAs. The issue persists.
4. Setting Do not install LAN SPD - unchecks itself automatically after Save and reloading the page. The issue persists.
5. Setting Enable TCP MSS clamping on VPN traffic - tried with 1200 and 1400 bytes, the issue still persists.
I also did a tcpdump for one of the tunnels during which I just typed some text in Notepad on the remote computer which looks like this:
Code Select
16:49:37.542263 IP my.side > their.side: ESP(spi=0xc3028c6c,seq=0xa2d), length 84
16:49:37.554964 IP their.side > my.side: ESP(spi=0xcda44f21,seq=0xa92), length 92
16:49:37.575476 IP my.side > their.side: ESP(spi=0xc3028c6c,seq=0xa2e), length 84
16:49:37.586123 IP their.side > my.side: ESP(spi=0xcda44f21,seq=0xa93), length 92
16:49:37.607720 IP my.side > their.side: ESP(spi=0xc3028c6c,seq=0xa2f), length 84
16:49:37.617368 IP their.side > my.side: ESP(spi=0xcda44f21,seq=0xa94), length 92
16:49:37.641175 IP my.side > their.side: ESP(spi=0xc3028c6c,seq=0xa30), length 84
16:49:37.648702 IP their.side > my.side: ESP(spi=0xcda44f21,seq=0xa95), length 92
16:49:37.674312 IP my.side > their.side: ESP(spi=0xc3028c6c,seq=0xa31), length 84
16:49:37.680109 IP their.side > my.side: ESP(spi=0xcda44f21,seq=0xa96), length 92
16:49:37.707601 IP my.side > their.side: ESP(spi=0xc3028c6c,seq=0xa32), length 84
16:49:37.711110 IP their.side > my.side: ESP(spi=0xcda44f21,seq=0xa97), length 92
16:49:37.739768 IP my.side > their.side: ESP(spi=0xc3028c6c,seq=0xa33), length 84
16:49:37.742396 IP their.side > my.side: ESP(spi=0xcda44f21,seq=0xa98), length 92
16:49:37.773296 IP my.side > their.side: ESP(spi=0xc3028c6c,seq=0xa34), length 84
16:49:37.789533 IP their.side > my.side: ESP(spi=0xcda44f21,seq=0xa99), length 156
16:49:37.806428 IP my.side > their.side: ESP(spi=0xc3028c6c,seq=0xa35), length 84
16:49:37.820509 IP their.side > my.side: ESP(spi=0xcda44f21,seq=0xa9a), length 132
16:49:37.839801 IP my.side > their.side: ESP(spi=0xc3028c6c,seq=0xa36), length 84
16:49:37.851763 IP their.side > my.side: ESP(spi=0xcda44f21,seq=0xa9b), length 100
16:49:37.872443 IP my.side > their.side: ESP(spi=0xc3028c6c,seq=0xa37), length 84
16:49:37.883013 IP their.side > my.side: ESP(spi=0xcda44f21,seq=0xa9c), length 92
16:49:37.905261 IP my.side > their.side: ESP(spi=0xc3028c6c,seq=0xa38), length 84
16:49:37.914280 IP their.side > my.side: ESP(spi=0xcda44f21,seq=0xa9d), length 92
16:49:37.938347 IP my.side > their.side: ESP(spi=0xc3028c6c,seq=0xa39), length 84
16:49:37.945486 IP their.side > my.side: ESP(spi=0xcda44f21,seq=0xa9e), length 92
16:49:37.971371 IP my.side > their.side: ESP(spi=0xc3028c6c,seq=0xa3a), length 84
When the RDP session stopped responding, this is what I captured:
Code Select
16:49:37.976871 IP their.side > my.side: ESP(spi=0xcda44f21,seq=0xa9f), length 92
16:49:38.101861 IP their.side > my.side: ESP(spi=0xcda44f21,seq=0xaa0), length 92
16:49:38.195728 IP their.side > my.side: ESP(spi=0xcda44f21,seq=0xaa1), length 116
16:49:38.852116 IP their.side > my.side: ESP(spi=0xcda44f21,seq=0xaa2), length 116
16:49:39.133557 IP their.side > my.side: ESP(spi=0xcda44f21,seq=0xaa3), length 372
16:49:39.289521 IP their.side > my.side: ESP(spi=0xcda44f21,seq=0xaa4), length 84
16:49:40.055345 IP their.side > my.side: ESP(spi=0xcda44f21,seq=0xaa5), length 412
16:49:40.133263 IP their.side > my.side: ESP(spi=0xcda44f21,seq=0xaa6), length 100
16:49:41.133313 IP their.side > my.side: ESP(spi=0xcda44f21,seq=0xaa7), length 92
16:49:41.398770 IP my.side > their.side: ESP(spi=0xc3028c6c,seq=0xa3b), length 84
16:49:41.399912 IP their.side > my.side: ESP(spi=0xcda44f21,seq=0xaa8), length 76
So my side stops responding for a period, but I don't know why. The line quality is excellent, when plugging it into another router, there are no issues, the VPN connections are established successfully and operate normally. However I have to replace the old router with OPNsense.
I am very frustrated by this issue as I have been trying to work it out for weeks, but no result. Could someone help me with this, maybe I am missing something?
