Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 58 replies
  • Answers 2 answers
  • Subscribers 31 subscribers
  • Views 55764 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Site-to-Site Tunnel mit IPSec - Durchsatz nur 4 kB/s

Duff11

Hallo zusammen,

ich habe zwischen zwei Standorten mit einer SG115 und SG135 eine IPSec Verbindung über IPv6 eingerichtet. Ein Anschluß hat 100Mbit/s Down/Up und der andere hat 200Mbit down/up. Ein ping zwischen beiden UTM's dauert ca. 8ms. Das Einbinden von Freigaben und anschließende Kopieren dauert ewig. Es werden nur 4 kB/s angezeigt.

Leider habe ich keine Idee mehr, wo ich ansetzen soll.

 

Übersicht der IPSec VErbindung in der Site-to-Site Übersicht:

SA: 192.168.30.0/24=2a00:xxxxx   2a00:xxxxx=192.168.1.0/24
VPN ID: 2a00:xxxxxx
IKE: Auth PSK / Enc AES_CBC_256 / Hash HMAC_MD5 / Lifetime 7800s / DPD
ESP: Enc AES_CBC_256 / Hash HMAC_MD5 / Lifetime 3600s
 
   

 

 

Danke!



This thread was automatically locked due to age.
  • 0 in reply to Duff11

    Noch jemand eine Idee, was ich noch probieren kann?

  • 0 in reply to Duff11

    Did you enable the option:  "Support path MTU discovery" under the "remote gateway"?

  • 0 in reply to apijnappels

    Thanks for your answer. Yes, I did.

    The next idea is to change the mtu size on the Tunnel end points (Clients) to 1390.

    I do Not have any Problems with small packets, like voip.

  • 0 in reply to Duff11

    Sorry, but I Need your help!

    I changed the mtu to 1390 on both Computer endpoints. After Mounting a Share and transfering Data, the Speed of the connecting slows down again.

    What can I do NOW to get the Tunnel working as expected?

    Thanks

  • 0 in reply to Duff11

    Additional Info:

    I can See the following in the espdump onnthe Sophos

    ....length 1338SMB-over-TCP packet: (raw Data or continuation?)

    One side is a Windows with Share mounted via cifs on Linux Client. I also disabled lso in Windows.

  • 0 in reply to Duff11

    Assuming that your WAN connection is on eth1, what result do you get from:

    ifconfig eth1

    MfG - Bob (Bitte auf Deutsch weiterhin.)

  • 0 in reply to BAlfson

    The output of eth1 (wan) interface is

     

    sg115:/root # ifconfig eth1
    eth1      Link encap:Ethernet  HWaddr 00:1A:8C:43:32:F9  
              inet addr:192.168.3.251  Bcast:192.168.3.255  Mask:255.255.255.0
              inet6 addr: 2a00:6010:13a6:2100:21a:8cff:fe43:32f9/64 Scope:Global
              inet6 addr: fe80::21a:8cff:fe43:32f9/64 Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:182535440 errors:0 dropped:1129 overruns:0 frame:0
              TX packets:111550355 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000
              RX bytes:205820574255 (196285.7 Mb)  TX bytes:30375481945 (28968.3 Mb)

    sg115:/root # ip a s dev eth1
    3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc hfsc state UP group default qlen 1000
        link/ether 00:1a:8c:43:32:f9 brd ff:ff:ff:ff:ff:ff
        inet 192.168.3.251/24 brd 192.168.3.255 scope global eth1
           valid_lft forever preferred_lft forever
        inet6 2a00:6020:15e6:2200:21a:8cff:fe43:32f9/64 scope global dynamic
           valid_lft 3043sec preferred_lft 1693sec
        inet6 fe80::21a:8cff:fe43:32f9/64 scope link
           valid_lft forever preferred_lft forever

     

     

     

    And on the other utm (wan is on eth7):

    sg135:/root # ifconfig eth7
    eth7      Link encap:Ethernet  HWaddr 00:1A:8C:4B:15:D7  
              inet addr:192.168.50.99  Bcast:192.168.50.255  Mask:255.255.255.0
              inet6 addr: fe80::21a:8cff:fe4b:15d7/64 Scope:Link
              inet6 addr: 2a00:6010:23ae:af10:21a:8cff:fe4b:15d7/64 Scope:Global
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:308355686 errors:0 dropped:0 overruns:0 frame:0
              TX packets:178763670 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000
              RX bytes:384447335574 (366637.5 Mb)  TX bytes:29044146511 (27698.6 Mb)

    sg135:/root # ip a s dev eth7
    9: eth7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
        link/ether 00:1a:8c:4b:15:d7 brd ff:ff:ff:ff:ff:ff
        inet 192.168.50.99/24 brd 192.168.50.255 scope global eth7
           valid_lft forever preferred_lft forever
        inet6 2a00:6020:15ee:af00:21a:8cff:fe4b:15d7/64 scope global
           valid_lft forever preferred_lft forever
        inet6 fe80::21a:8cff:fe4b:15d7/64 scope link
           valid_lft forever preferred_lft forever

     

    I only changed the mtu size on the tunnel endpoints

  • 0 in reply to Duff11

    I'm out of questions.  What does Sophos Support have to say about this?

    MfG - Bob (Bitte auf Deutsch weiterhin.)

  • 0 in reply to BAlfson

    I do Not have a valid subscription for Support (only for license) :(

  • 0 in reply to Duff11

    What happens if you use IPv4 instead of IPv6?

    MfG - Bob (Bitte auf Deutsch weiterhin.)