Site-to-Site Tunnel mit IPSec - Durchsatz nur 4 kB/s

Im Logfile ipsec.log steht noch folgendes

<pre>

2018:07:17-20:36:12 sg115 pluto[16946]: "S_REF_IpsSitAtoB_0" #1441: starting keying attempt 1392 of an unlimited number
2018:07:17-20:36:12 sg115 pluto[16946]: "S_REF_IpsSitAtoB_0" #1442: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP to replace #1441 {using isakmp#13
43}
2018:07:17-20:36:12 sg115 pluto[16946]: "S_REF_IpsSitAtoB_0" #1343: ignoring informational payload, type INVALID_ID_INFORMATION
2018:07:17-20:36:22 sg115 pluto[16946]: "S_REF_IpsSitAtoB_0" #1343: ignoring informational payload, type INVALID_MESSAGE_ID
2018:07:17-20:36:37 sg115 pluto[16946]: "S_REF_IpsSitAtoB_0" #1443: initiating Main Mode to replace #1343
2018:07:17-20:36:37 sg115 pluto[16946]: "S_REF_IpsSitAtoB_0" #1443: received Vendor ID payload [strongSwan]
2018:07:17-20:36:37 sg115 pluto[16946]: "S_REF_IpsSitAtoB_0" #1443: ignoring Vendor ID payload [Cisco-Unity]
2018:07:17-20:36:37 sg115 pluto[16946]: "S_REF_IpsSitAtoB_0" #1443: received Vendor ID payload [XAUTH]
2018:07:17-20:36:37 sg115 pluto[16946]: "S_REF_IpsSitAtoB_0" #1443: received Vendor ID payload [Dead Peer Detection]
2018:07:17-20:36:37 sg115 pluto[16946]: "S_REF_IpsSitAtoB_0" #1443: received Vendor ID payload [RFC 3947]
2018:07:17-20:36:37 sg115 pluto[16946]: "S_REF_IpsSitAtoB_0" #1443: enabling possible NAT-traversal with method 3
2018:07:17-20:36:37 sg115 pluto[16946]: "S_REF_IpsSitAtoB_0" #1443: NAT-Traversal: Result using RFC 3947: no NAT detected
2018:07:17-20:36:37 sg115 pluto[16946]: "S_REF_IpsSitAtoB_0" #1443: Peer ID is ID_IPV6_ADDR: 'xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx'
2018:07:17-20:36:37 sg115 pluto[16946]: "S_REF_IpsSitAtoB_0" #1443: Dead Peer Detection (RFC 3706) enabled
2018:07:17-20:36:37 sg115 pluto[16946]: "S_REF_IpsSitAtoB_0" #1443: ISAKMP SA established
2018:07:17-20:36:42 sg115 pluto[16946]: "S_REF_IpsSitAtoB_0" #1343: ignoring informational payload, type INVALID_MESSAGE_ID
2018:07:17-20:37:22 sg115 pluto[16946]: "S_REF_IpsSitAtoB_0" #1442: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable resp
onse to our first Quick Mode message: perhaps peer likes no proposal
2018:07:17-20:37:22 sg115 pluto[16946]: "S_REF_IpsSitAtoB_0" #1442: starting keying attempt 1393 of an unlimited number
2018:07:17-20:37:22 sg115 pluto[16946]: "S_REF_IpsSitAtoB_0" #1444: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP to replace #1442 {using isakmp#14
43}
2018:07:17-20:37:22 sg115 pluto[16946]: "S_REF_IpsSitAtoB_0" #1443: ignoring informational payload, type INVALID_ID_INFORMATION
2018:07:17-20:37:32 sg115 pluto[16946]: "S_REF_IpsSitAtoB_0" #1443: ignoring informational payload, type INVALID_MESSAGE_ID
2018:07:17-20:37:52 sg115 pluto[16946]: "S_REF_IpsSitAtoB_0" #1443: ignoring informational payload, type INVALID_MESSAGE_ID
2018:07:17-20:38:32 sg115 pluto[16946]: "S_REF_IpsSitAtoB_0" #1444: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable resp
onse to our first Quick Mode message: perhaps peer likes no proposal

</pre>

Im Logfile ipsec.log steht noch folgendes

<pre>

2018:07:17-20:36:12 sg115 pluto[16946]: "S_REF_IpsSitAtoB_0" #1441: starting keying attempt 1392 of an unlimited number
2018:07:17-20:36:12 sg115 pluto[16946]: "S_REF_IpsSitAtoB_0" #1442: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP to replace #1441 {using isakmp#13
43}
2018:07:17-20:36:12 sg115 pluto[16946]: "S_REF_IpsSitAtoB_0" #1343: ignoring informational payload, type INVALID_ID_INFORMATION
2018:07:17-20:36:22 sg115 pluto[16946]: "S_REF_IpsSitAtoB_0" #1343: ignoring informational payload, type INVALID_MESSAGE_ID
2018:07:17-20:36:37 sg115 pluto[16946]: "S_REF_IpsSitAtoB_0" #1443: initiating Main Mode to replace #1343
2018:07:17-20:36:37 sg115 pluto[16946]: "S_REF_IpsSitAtoB_0" #1443: received Vendor ID payload [strongSwan]
2018:07:17-20:36:37 sg115 pluto[16946]: "S_REF_IpsSitAtoB_0" #1443: ignoring Vendor ID payload [Cisco-Unity]
2018:07:17-20:36:37 sg115 pluto[16946]: "S_REF_IpsSitAtoB_0" #1443: received Vendor ID payload [XAUTH]
2018:07:17-20:36:37 sg115 pluto[16946]: "S_REF_IpsSitAtoB_0" #1443: received Vendor ID payload [Dead Peer Detection]
2018:07:17-20:36:37 sg115 pluto[16946]: "S_REF_IpsSitAtoB_0" #1443: received Vendor ID payload [RFC 3947]
2018:07:17-20:36:37 sg115 pluto[16946]: "S_REF_IpsSitAtoB_0" #1443: enabling possible NAT-traversal with method 3
2018:07:17-20:36:37 sg115 pluto[16946]: "S_REF_IpsSitAtoB_0" #1443: NAT-Traversal: Result using RFC 3947: no NAT detected
2018:07:17-20:36:37 sg115 pluto[16946]: "S_REF_IpsSitAtoB_0" #1443: Peer ID is ID_IPV6_ADDR: 'xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx'
2018:07:17-20:36:37 sg115 pluto[16946]: "S_REF_IpsSitAtoB_0" #1443: Dead Peer Detection (RFC 3706) enabled
2018:07:17-20:36:37 sg115 pluto[16946]: "S_REF_IpsSitAtoB_0" #1443: ISAKMP SA established
2018:07:17-20:36:42 sg115 pluto[16946]: "S_REF_IpsSitAtoB_0" #1343: ignoring informational payload, type INVALID_MESSAGE_ID
2018:07:17-20:37:22 sg115 pluto[16946]: "S_REF_IpsSitAtoB_0" #1442: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable resp
onse to our first Quick Mode message: perhaps peer likes no proposal
2018:07:17-20:37:22 sg115 pluto[16946]: "S_REF_IpsSitAtoB_0" #1442: starting keying attempt 1393 of an unlimited number
2018:07:17-20:37:22 sg115 pluto[16946]: "S_REF_IpsSitAtoB_0" #1444: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP to replace #1442 {using isakmp#14
43}
2018:07:17-20:37:22 sg115 pluto[16946]: "S_REF_IpsSitAtoB_0" #1443: ignoring informational payload, type INVALID_ID_INFORMATION
2018:07:17-20:37:32 sg115 pluto[16946]: "S_REF_IpsSitAtoB_0" #1443: ignoring informational payload, type INVALID_MESSAGE_ID
2018:07:17-20:37:52 sg115 pluto[16946]: "S_REF_IpsSitAtoB_0" #1443: ignoring informational payload, type INVALID_MESSAGE_ID
2018:07:17-20:38:32 sg115 pluto[16946]: "S_REF_IpsSitAtoB_0" #1444: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable resp
onse to our first Quick Mode message: perhaps peer likes no proposal

</pre>

Niemand eine Idee?

Werden eventuell noch weitere Informationen benötigt...

Habe auf beiden Seiten bei IPSec eingestellt, dass eine Verbindung initiiert werden soll (und nicht einmal respond only). Wie gesagt, ein ping funktioniert einwandfrei. Das Übertragen von Daten leider überhaupt nicht ;-(

Entschuldige mich für Englishe Antwort, mein Deutsch ist nicht so gut:

Do you also use Intrusion Protection? If so try to see what throughput is when you disable this (or make an exception for it for traffic inside the tunnel).

Hi,

thanks for your answer.

I already disable Intrusion Detection on one site. Im not sure if I also disable it on the other site.

I will check and give a feedback.

Regards

Same result after disabling Intrusion Detection.

Any other ideas?

I have seen that there are two tun1 interfaces.

One for IPv4 and one for IPv6. Both are for different use (OpenVPN for IPv4 and IPSec for deticated IPv6).

Is that a problem?

Are both interfaces called tun1 ? that sounds odd, I would expect them to have each a unique name.

However I don't really have any other ideas for now, maybe someone else can shed some extra light on this situation.

I do a tcpdump on one of the machines and I see this:

truncated-ip6 - 22052 bytes missing!7f0x:xxxx:xxxx:xxxx:c0a8:1402:1bd:a83d > xxxx:f13:xxxx:xxxxx:xxxx:ff:f2bf:0: ip-proto-64 23402

What does that mean? Problem with windows size?

Hat niemand mehr eine Idee?

Werden mehr Informationen benötigt?