Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Virtual private networks
»
IPSEC site2site (new connection mode) extremly slow
« previous
next »
Print
Pages: [
1
]
Author
Topic: IPSEC site2site (new connection mode) extremly slow (Read 1964 times)
mts
Newbie
Posts: 14
Karma: 0
IPSEC site2site (new connection mode) extremly slow
«
on:
March 12, 2024, 09:16:02 am »
Hello guys,
I have a policy-based IPSEC-tunnel between two networks which is extremly slow.
Site A) has a 100/100Mbit sync fiber-line
Site B) has a 400/50Mbit async line
I'm currently reaching 4!!! Mbit via my VPN-tunnel.
It is only related to IPSEC-VPN. When I use a openVPN roadwarrior connections everything is fine.
The log files do not show any errors or warnings.
My settings are quite basic:
Settings:
Proposals: aes256-sha512-ecp521 [DH21, NIST EC]
Version: IKEv2
MOBIKE: enabled
DPD delay: 10s
Pools: nothing
Authentication: Public key
Children:
Mode: Tunnel
Policies: enabled
Start action: Start
Stop action: Start
DPD action: Start
ESP-proposals: default
Rekay time: 36600
I also tried to enable IPsec normalization with max MSS of 1350 (as I read this on several forums).
The CPU is more or less non-stop idle.
Statistic IPsec-Interface (enc0):
mtu: 1536
received-errors: 0
dropped-packets: 0
send-errors: 0
collisions: 0
Actually I have no idea why it is that slow.
«
Last Edit: March 12, 2024, 09:34:10 am by mts
»
Logged
Monviech (Cedrik)
Global Moderator
Hero Member
Posts: 1596
Karma: 176
Re: IPSEC site2site (new connection mode) extremly slow
«
Reply #1 on:
March 12, 2024, 09:33:50 am »
Could you try the same with aes256-sha256-dh14 ? Maybe the CPU is too slow for your encryption settings?
Logged
Hardware:
DEC740
mts
Newbie
Posts: 14
Karma: 0
Re: IPSEC site2site (new connection mode) extremly slow
«
Reply #2 on:
March 12, 2024, 09:36:18 am »
Sorry, I forgot to mention:
The CPU is more or les idle all the time.
The "slow" opnsense on site B) is a Celeron J4125 Quad Core while the "strong" opnsense on site A) is much larger...
> To be sure I changed to aes256-sha256-modp2048[dh14] > no difference.
«
Last Edit: March 12, 2024, 09:44:36 am by mts
»
Logged
Monviech (Cedrik)
Global Moderator
Hero Member
Posts: 1596
Karma: 176
Re: IPSEC site2site (new connection mode) extremly slow
«
Reply #3 on:
March 12, 2024, 09:49:53 am »
How do you test this? Did you use iperf3?
Logged
Hardware:
DEC740
mts
Newbie
Posts: 14
Karma: 0
Re: IPSEC site2site (new connection mode) extremly slow
«
Reply #4 on:
March 12, 2024, 10:23:59 am »
Unfortunately I did not use iperf3 as I'm not sure how to use it.
My ipsec-VPN is policy-based, so the is no interface to bind on.
How do I use iperf without an ethernet-interface?
Logged
Monviech (Cedrik)
Global Moderator
Hero Member
Posts: 1596
Karma: 176
Re: IPSEC site2site (new connection mode) extremly slow
«
Reply #5 on:
March 12, 2024, 10:49:55 am »
Well the policy connects at least two networks that are on these firewalls.
So on one firewall you do "iperf3 -s"
and on the other you do "iperf3 -c 192.168.1.1" (the IP is an interface that the policy allows connection to on your other firewall, so for example the interface IP of your LAN NET)
Make sure your firewall allows tcp 5201. (Best allow it in floating rules temporarily on the interfaces IPsec/LAN)
Logged
Hardware:
DEC740
mts
Newbie
Posts: 14
Karma: 0
Re: IPSEC site2site (new connection mode) extremly slow
«
Reply #6 on:
March 13, 2024, 08:49:59 am »
I have to do a one-eighty...
I used iperf now it it shows absolutely no problem... I have all the bandwidth that is available.
I don't know where my problem is.
I'm using remote-desktop from a Mac on site B) to a windows machine on site A).
It is very laggy and slow. Unter "Connection information" it shows a bandwidth of around 4Mbit.
As soon as I open a openVPN roadwarrior-connection from my Mac on site B) it shows 30Mbit.
a) My Mac does something strange
or
b) opnsense somehow slows down data while routing.
Logged
Patrick M. Hausen
Hero Member
Posts: 6799
Karma: 571
Re: IPSEC site2site (new connection mode) extremly slow
«
Reply #7 on:
March 13, 2024, 09:05:50 am »
MTU/MSS mismatch?
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
mts
Newbie
Posts: 14
Karma: 0
Re: IPSEC site2site (new connection mode) extremly slow
«
Reply #8 on:
March 13, 2024, 07:35:25 pm »
I don't see the problem.
perf3 from firewall to firewall shows no problem and I have the full bandwidth, but as soon as I want to use any service like file-transfer, remote-desktop, ... the connection is EXTREMLY slow.
Any hint where I could take a look?
Logged
Patrick M. Hausen
Hero Member
Posts: 6799
Karma: 571
Re: IPSEC site2site (new connection mode) extremly slow
«
Reply #9 on:
March 13, 2024, 08:34:49 pm »
Try to set an MSS size of e.g. 1300 just for test purposes on the LAN (or differently named "private") interfaces on both sides. If that fixes the problem, investigate what the proper MSS size needs to be.
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
mts
Newbie
Posts: 14
Karma: 0
Re: IPSEC site2site (new connection mode) extremly slow
«
Reply #10 on:
March 13, 2024, 11:07:04 pm »
Actually that did the trick.
I've set it to 1300 (which is in my opinion pretty small) and it works perfectly.
Shoudn't I limit this normalization to traffic between those networks?
Logged
Patrick M. Hausen
Hero Member
Posts: 6799
Karma: 571
Re: IPSEC site2site (new connection mode) extremly slow
«
Reply #11 on:
March 13, 2024, 11:31:08 pm »
So now you need to find the WAN MTU of the two systems (probably either 1500 or 1492 if PPPoE is involved) and subtract 60 for the outer IP and ESP headers. The real overhead can be as small as 50 but depends on the payload packet size, so 60 is a good value that will always work.
EDIT: depending on your cryptographic alhorithms the overhead can be even larger. So you should probably test it with ping like so:
https://yurisk.info/2022/08/30/network-mtu-maximum-size-testing-with-ping-on-linux-and-windows/
Or find out why PMTUD does not work automatically for you. Are both VPN gateways OPNsense? Are you limiting ICMP in any way?
«
Last Edit: March 14, 2024, 12:24:29 am by Patrick M. Hausen
»
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Virtual private networks
»
IPSEC site2site (new connection mode) extremly slow