Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 58 replies
  • Answers 2 answers
  • Subscribers 31 subscribers
  • Views 55742 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Site-to-Site Tunnel mit IPSec - Durchsatz nur 4 kB/s

Duff11

Hallo zusammen,

ich habe zwischen zwei Standorten mit einer SG115 und SG135 eine IPSec Verbindung über IPv6 eingerichtet. Ein Anschluß hat 100Mbit/s Down/Up und der andere hat 200Mbit down/up. Ein ping zwischen beiden UTM's dauert ca. 8ms. Das Einbinden von Freigaben und anschließende Kopieren dauert ewig. Es werden nur 4 kB/s angezeigt.

Leider habe ich keine Idee mehr, wo ich ansetzen soll.

 

Übersicht der IPSec VErbindung in der Site-to-Site Übersicht:

SA: 192.168.30.0/24=2a00:xxxxx   2a00:xxxxx=192.168.1.0/24
VPN ID: 2a00:xxxxxx
IKE: Auth PSK / Enc AES_CBC_256 / Hash HMAC_MD5 / Lifetime 7800s / DPD
ESP: Enc AES_CBC_256 / Hash HMAC_MD5 / Lifetime 3600s
 
   

 

 

Danke!



This thread was automatically locked due to age.
  • 0 in reply to BAlfson

    I execute the above command on the sophos utm and after that my connection was lost. I have no remote access anymore.

    The static ipv6 address to outsite is no longer available. I think that I will power off (and on) the utm via power manually.

     

    Let's drive with my car ...

     

     

    On the other site, the utmA has the IP 192.168.50.81 and ipsec for eth7 (wan and ipv6)) and eth0 (lan) 192.168.30.254. The ip 192.168.30.1 is the windows server in the lan.

    A normal ping from utmB with its IP 192.168.1.1 (lan) and 192.168.3.1 (wan and ipv6) can be seen on utmA with tcpdump

     

    sg135:/root # tcpdump -i eth0 icmp
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
    19:23:34.291413 IP 192.168.1.1 > srv2012: ICMP echo request, id 37664, seq 1, length 64
    19:23:34.291801 IP srv2012 > 192.168.1.1: ICMP echo reply, id 37664, seq 1, length 64

     

    The ping you posted is not seen on sg135 (utmA). And utmB is hanging after execution of the command ;-(

     

    Is the test scenario the right one? Should I use other IP addresses?

  • 0 in reply to Duff11

    In UTM B, please copy and paste the following to the command line:

    ping -I 192.168.1.1 192.168.30.254 -s 1500 -M do

    What result does that give?

    I have to admit that I'm a little confused about the topology.  Is the 4kB/sec download between two devices communicating via their IPv4 addresses - or are some local IPv6 addresses connected via the IPsec tunnel?

    MfG - Bob (Bitte auf Deutsch weiterhin.)

  • 0 in reply to BAlfson

    Ergibt das gleiche REsultat. Die Box hängt sich für eine gewisse Zeit weg und ist nicht mehr erreichbar.

     

    Der Download ist von zwei Geräten mit IPv4 hinter den UTMs.

    srv2012 - utm <-> utm - linux

     

    Der linux Rechner mountet per cifs eine Freigabe vom MS-Server und kopiert dann mit rsync von remote zu lokal.

     

    Sind eventuell noch ipsec Kommandos nützlich?

  • 0 in reply to Duff11

    MTU Size des Netzbetreibers (Glasfaser) scheint 1500 zu sein.

  • 0 in reply to Duff11

    That's strange.  I didn't think an MSS issue (the issue that I suspect) could cause a lockup.

    What do you get in the other UTM with this?

    ping -I 192.168.30.254 192.168.1.1 -s 1500 -M do

    MfG - Bob (Bitte auf Deutsch weiterhin.)

  • 0 in reply to BAlfson

    Ich bin gerade auch ein wenig verwirrt. Auf einer UTM sehe ich dieses im tcpdump...

     

    21:07:32.506885 IP (tos 0x0, ttl 64, id 706, offset 0, flags [none], proto UDP (17), length 29)
        192.168.1.127.4500 > 89.204.136.64.4500: [no cksum] isakmp-nat-keep-alive
    21:07:32.636080 IP (tos 0x0, ttl 52, id 41463, offset 0, flags [none], proto UDP (17), length 164)
        89.204.136.64.4500 > 192.168.1.127.4500: [udp sum ok] UDP-encap: ESP(spi=0x02f1d4c2,seq=0x44), length 136
    21:07:32.676742 IP (tos 0x50, ttl 64, id 53525, offset 0, flags [none], proto UDP (17), length 164)
        192.168.1.127.4500 > 89.204.136.64.4500: [no cksum] UDP-encap: ESP(spi=0x00f44c5d,seq=0x49), length 136
    21:07:32.678301 IP (tos 0x50, ttl 64, id 57356, offset 0, flags [none], proto UDP (17), length 164)
        192.168.1.127.4500 > 89.204.136.64.4500: [no cksum] UDP-encap: ESP(spi=0x00f44c5d,seq=0x4a), length 136
    21:07:55.453097 IP (tos 0x0, ttl 64, id 31820, offset 0, flags [none], proto UDP (17), length 29)
        192.168.1.127.4500 > 89.204.136.64.4500: [no cksum] isakmp-nat-keep-alive

     

    Dies ist nicht mein IPv6 IPSec Tunnel. Scheint einer von intern zu extern zu sein (ob da jemand eine NAS-Platte oder sowas eingesteckt hat)...

    Kann dies meinen IPSec Tunnel beeinflußen?

     

    Der ping hing natürlich wieder ...

    loginuser@sg135:/home/login > ping -I 192.168.30.254 192.168.1.1 -s 1500 -M do -c 1
    PING 192.168.1.1 (192.168.1.1) from 192.168.30.254 : 1500(1528) bytes of data.

    Aber -M do besagt ja auch, dass er nicht fragmentieren soll. Und an die 1500 werden scheinbar noch weitere 28 bytes gehangen ...

  • 0 in reply to Duff11

    I would have expected something like the following which is the result I usually see from a don't-fragment ping.

    loginuser@sg135:/home/login # ping -I 192.168.30.254 192.168.1.1 -s 1500 -M do
    PING 192.168.1.1 (192.168.1.1) from 192.168.30.254 : 1500(1528) bytes of data.
    ping: local error: Message too long, mtu=1406
    ping: local error: Message too long, mtu=1406
    ping: local error: Message too long, mtu=1406

     You can look inside an IPsec tunnel.  Find the _REF of a tunnel named Allee with:

    cc get_object_by_name ipsec_connection site_to_site Allee |grep \'ref\'

    Assuming that that gave you REF_IpsSitAllee, you can do a tcpdump on the traffic inside the tunnel with:

    espdump -n --conn REF_IpsSitAllee -vv

    MfG - Bob (Bitte auf Deutsch weiterhin.)

  • 0 in reply to BAlfson

    Danke für die gute Hilfe bisher ...

     

    Ein ping geht scheinbar nur bis ...

    loginuser@sg135:/home/login > ping -I 192.168.50.81 192.168.1.1 -s 1362
    PING 192.168.1.1 (192.168.1.1) from 192.168.50.81 : 1362(1390) bytes of data.
    1370 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=5.72 ms
    1370 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=5.57 ms
    ^C
    --- 192.168.1.1 ping statistics ---
    2 packets transmitted, 2 received, 0% packet loss, time 1001ms
    rtt min/avg/max/mdev = 5.578/5.649/5.720/0.071 ms
    loginuser@sg135:/home/login > ping -I 192.168.50.81 192.168.1.1 -s 1364 -c 1
    PING 192.168.1.1 (192.168.1.1) from 192.168.50.81 : 1364(1392) bytes of data.

    --- 192.168.1.1 ping statistics ---
    1 packets transmitted, 0 received, 100% packet loss, time 0ms

     

     

    Das cc Kommando kenne ich nicht. Nur die ipsec <optionen>.

    sg135:/root # cc get_object_by_name ipsec_connection site_to_site Allee
    0

     

    Beim dump für eine der Verbindungen...

    sg135:/root # espdump -n --conn S_REF_IpsSitA2B
    Running: tcpdump -ieth7 -Efile /tmp/espdump.12552/sas -s0 -n (esp) and ((host bxxx:xxxx::xxxx8 and host axxx:xxxx::xxxx9))
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on eth7, link-type EN10MB (Ethernet), capture size 65535 bytes
    22:11:03.083223 IP6 bxxx:xxxx::xxxx8 > axxx:xxxx::xxxx9: ESP(spi=0xd4934d25,seq=0x341), length 100: IP 192.168.30.145.1022 > 192.168.1.99.2049: Flags [.], ack 1337913436, win 229, options [nop,nop,TS val 3818201 ecr 81674839], length 0
    22:11:03.088914 IP6 axxx:xxxx::xxxx9 > bxxx:xxxx::xxxx8: ESP(spi=0x3b705b02,seq=0x442), length 100: IP 192.168.1.99.2049 > 192.168.30.145.1022: Flags [.], ack 1, win 235, options [nop,nop,TS val 81689841 ecr 3803201], length 0
    22:11:03.239305 IP6 bxxx:xxxx::xxxx8 > axxx:xxxx::xxxx9: ESP(spi=0xd4934d25,seq=0x342), length 212: IP 192.168.30.145.3718963109 > 192.168.1.99.2049: 104 getattr [|nfs]
    22:11:03.244660 IP6 axxx:xxxx::xxxx9 > bxxx:xxxx::xxxx8: ESP(spi=0x3b705b02,seq=0x443), length 148: IP 192.168.1.99.2049 > 192.168.30.145.3718963109: reply ok 44 getattr [|nfs]
    22:11:03.245127 IP6 bxxx:xxxx::xxxx8 > axxx:xxxx::xxxx9: ESP(spi=0xd4934d25,seq=0x343), length 100: IP 192.168.30.145.1022 > 192.168.1.99.2049: Flags [.], ack 49, win 229, options [nop,nop,TS val 3818241 ecr 81689879], length 0
    22:11:03.634498 IP6 axxx:xxxx::xxxx9 > bxxx:xxxx::xxxx8: ESP(spi=0x3b705b02,seq=0x444), length 884: IP 192.168.1.226.5060 > 192.168.30.3.5060: SIP, length: 814

  • 0 in reply to Duff11

    Anbei noch die Ausgabe vom cc Kommando (ich musste den Namen mit Leerzeichen verwenden, den ich im Webadmin angegeben habe):

     

    sg135:/root # cc get_object_by_name ipsec_connection site_to_site "standortA - standortB"
    {
              'autoname' => 0,
              'class' => 'ipsec_connection',
              'data' => {
                          'auto_pf_in' => 'REF_PacPacAnyFromFritz',
                          'auto_pf_out' => 'REF_PacPacAnyFromGlasf',
                          'auto_pfrule' => 1,
                          'bind' => 0,
                          'comment' => '',
                          'interface' => 'REF_IntEthEth7',
                          'name' => 'standortA - standortB',
                          'networks' => [
                                          'REF_NetIntEth7Networ',
                                          'REF_DefaultInternalNetwork'
                                        ],
                          'policy' => 'REF_OrkXmBRdER',
                          'remote_gateway' => 'REF_IpsRemStandortAStandortB',
                          'status' => 1,
                          'strict_routing' => 0
                        },
              'hidden' => 0,
              'lock' => '',
              'nodel' => '',
              'ref' => 'REF_IpsSitStandortAStandortB',
              'type' => 'site_to_site'
            }

  • 0 in reply to Duff11

    sg135:/root # espdump -n --conn REF_IpsSitStandortAStandortB -vv
    Running: tcpdump -ieth7 -Efile /tmp/espdump.25934/sas -s0 -n -vv (esp) and ((host axxx:xxxx::xxxx and host bxxx:xxxx::xxxx))
    tcpdump: listening on eth7, link-type EN10MB (Ethernet), capture size 65535 bytes
    08:02:34.504311 IP6 (hlim 250, next-header ESP (50) payload length: 404) bxxx:xxxx::xxxx > axxx:xxxx::xxxx: ESP(spi=0x455ce51e,seq=0x880), length 404: IP (tos 0x0, ttl 127, id 1090, offset 0, flags [DF], proto TCP (6), length 356)
        192.168.1.117.49165 > 192.168.30.1.445: Flags [P.], cksum 0xefce (correct), seq 330896638:330896954, ack 39452055, win 254, length 316SMB-over-TCP packet:(raw data or continuation?)

    08:02:34.505193 IP6 (hlim 64, next-header ESP (50) payload length: 324) axxx:xxxx::xxxx > bxxx:xxxx::xxxx: ESP(spi=0x3f04ecc7,seq=0x71f), length 324: IP (tos 0x0, ttl 127, id 1548, offset 0, flags [DF], proto TCP (6), length 284)
        192.168.30.1.445 > 192.168.1.117.49165: Flags [P.], cksum 0x2dd1 (correct), seq 1:245, ack 316, win 253, length 244SMB-over-TCP packet:(raw data or continuation?)

    08:02:34.510626 IP6 (hlim 250, next-header ESP (50) payload length: 180) bxxx:xxxx::xxxx > axxx:xxxx::xxxx: ESP(spi=0x455ce51e,seq=0x881), length 180: IP (tos 0x0, ttl 127, id 1091, offset 0, flags [DF], proto TCP (6), length 132)
        192.168.1.117.49165 > 192.168.30.1.445: Flags [P.], cksum 0xaed3 (correct), seq 316:408, ack 245, win 253, length 92SMB-over-TCP packet:(raw data or continuation?)

    08:02:34.511289 IP6 (hlim 64, next-header ESP (50) payload length: 212) axxx:xxxx::xxxx > bxxx:xxxx::xxxx: ESP(spi=0x3f04ecc7,seq=0x720), length 212: IP (tos 0x0, ttl 127, id 1549, offset 0, flags [DF], proto TCP (6), length 168)
        192.168.30.1.445 > 192.168.1.117.49165: Flags [P.], cksum 0xa41f (correct), seq 245:373, ack 408, win 253, length 128SMB-over-TCP packet:(raw data or continuation?)

    08:02:34.516666 IP6 (hlim 250, next-header ESP (50) payload length: 308) bxxx:xxxx::xxxx > axxx:xxxx::xxxx: ESP(spi=0x455ce51e,seq=0x882), length 308: IP (tos 0x0, ttl 127, id 1092, offset 0, flags [DF], proto TCP (6), length 260)
        192.168.1.117.49165 > 192.168.30.1.445: Flags [P.], cksum 0xfad2 (correct), seq 408:628, ack 373, win 253, length 220SMB-over-TCP packet:(raw data or continuation?)

    08:02:34.517365 IP6 (hlim 64, next-header ESP (50) payload length: 324) axxx:xxxx::xxxx > bxxx:xxxx::xxxx: ESP(spi=0x3f04ecc7,seq=0x721), length 324: IP (tos 0x0, ttl 127, id 1550, offset 0, flags [DF], proto TCP (6), length 284)
        192.168.30.1.445 > 192.168.1.117.49165: Flags [P.], cksum 0x46af (correct), seq 373:617, ack 628, win 252, length 244SMB-over-TCP packet:(raw data or continuation?)

    ...

    and some sip traffic which is working...

    08:03:07.395197 IP6 (hlim 250, next-header ESP (50) payload length: 900) axxx:xxxx::xxxx > bxxx:xxxx::xxxx: ESP(spi=0x455ce51e,seq=0x8ab), length 900: IP (tos 0x68, ttl 63, id 0, offset 0, flags [DF], proto UDP (17), length 859)
        192.168.1.227.5060 > 192.168.30.3.5060: [udp sum ok] SIP, length: 831
            REGISTER sip:192.168.30.3:5060 SIP/2.0
            Via: SIP/2.0/UDP 192.168.1.227:5060;branch=z9hG4bK2452320308
            From: "B User1" <sip:05@192.168.30.3:5060>;tag=2178585412
            To: "B User1" <sip:05@192.168.30.3:5060>
            Call-ID: 0_116685649@192.168.1.227
            CSeq: 1274 REGISTER
            Contact: <sip:05@192.168.1.227:5060>
            Proxy-Authorization: Digest username="hi1nvkt", realm="3CXPhoneSystem", nonce="414d535c11732f9c42:51923f46fcf2023e0407ca2ad9ebcc1b", uri="sip:192.168.30.3:5060", response="6a858d2e0ceda603e09de93cf3ad31b7", algorithm=MD5
            Allow: INVITE, INFO, PRACK, ACK, BYE, CANCEL, OPTIONS, NOTIFY, REGISTER, SUBSCRIBE, REFER, PUBLISH, UPDATE, MESSAGE
            Max-Forwards: 70
            User-Agent: Yealink SIP-T46S 66.82.0.20 805ec0223814
            Expires: 120
            Allow-Events: talk,hold,conference,refer,check-sync
            Mac: 80:5e:c0:22:38:14
            Content-Length: 0


            0x0000:  5245 4749 5354 4552 2073 6970 3a31 3932
            0x0010:  2e31 3638 2e33 302e 333a 3530 3630 2053
            0x0020:  4950 2f32 2e30 0d0a 5669 613a 2053 4950
            0x0030:  2f32 2e30 2f55 4450 2031 3932 2e31 3638
            0x0040:  2e31 2e32 3237 3a35 3036 303b 6272 616e
            0x0050:  6368 3d7a 3968 4734 624b 3234 3532 3332
            0x0060:  3033 3038 0d0a 4672 6f6d 3a20 2254 5033
            0x0070:  2042 656e 6a61 6d69 6e22 203c 7369 703a
            0x0080:  3035 4031 3932 2e31 3638 2e33 302e 333a
            0x0090:  3530 3630 3e3b 7461 673d 3231 3738 3538