Site-to-Site Tunnel mit IPSec - Durchsatz nur 4 kB/s

Hallo zusammen,

ich habe zwischen zwei Standorten mit einer SG115 und SG135 eine IPSec Verbindung über IPv6 eingerichtet. Ein Anschluß hat 100Mbit/s Down/Up und der andere hat 200Mbit down/up. Ein ping zwischen beiden UTM's dauert ca. 8ms. Das Einbinden von Freigaben und anschließende Kopieren dauert ewig. Es werden nur 4 kB/s angezeigt.

Leider habe ich keine Idee mehr, wo ich ansetzen soll.

 

Übersicht der IPSec VErbindung in der Site-to-Site Übersicht:

SA: 192.168.30.0/24=2a00:xxxxx   2a00:xxxxx=192.168.1.0/24
VPN ID: 2a00:xxxxxx
IKE: Auth PSK / Enc AES_CBC_256 / Hash HMAC_MD5 / Lifetime 7800s / DPD
ESP: Enc AES_CBC_256 / Hash HMAC_MD5 / Lifetime 3600s
 
   

 

 

Danke!

  • In reply to Duff11:

    Assuming that your WAN connection is on eth1, what result do you get from:

    ifconfig eth1

    MfG - Bob (Bitte auf Deutsch weiterhin.)

  • In reply to BAlfson:

    The output of eth1 (wan) interface is

     

    sg115:/root # ifconfig eth1
    eth1      Link encap:Ethernet  HWaddr 00:1A:8C:43:32:F9  
              inet addr:192.168.3.251  Bcast:192.168.3.255  Mask:255.255.255.0
              inet6 addr: 2a00:6010:13a6:2100:21a:8cff:fe43:32f9/64 Scope:Global
              inet6 addr: fe80::21a:8cff:fe43:32f9/64 Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:182535440 errors:0 dropped:1129 overruns:0 frame:0
              TX packets:111550355 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000
              RX bytes:205820574255 (196285.7 Mb)  TX bytes:30375481945 (28968.3 Mb)

    sg115:/root # ip a s dev eth1
    3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc hfsc state UP group default qlen 1000
        link/ether 00:1a:8c:43:32:f9 brd ff:ff:ff:ff:ff:ff
        inet 192.168.3.251/24 brd 192.168.3.255 scope global eth1
           valid_lft forever preferred_lft forever
        inet6 2a00:6020:15e6:2200:21a:8cff:fe43:32f9/64 scope global dynamic
           valid_lft 3043sec preferred_lft 1693sec
        inet6 fe80::21a:8cff:fe43:32f9/64 scope link
           valid_lft forever preferred_lft forever

     

     

     

    And on the other utm (wan is on eth7):

    sg135:/root # ifconfig eth7
    eth7      Link encap:Ethernet  HWaddr 00:1A:8C:4B:15:D7  
              inet addr:192.168.50.99  Bcast:192.168.50.255  Mask:255.255.255.0
              inet6 addr: fe80::21a:8cff:fe4b:15d7/64 Scope:Link
              inet6 addr: 2a00:6010:23ae:af10:21a:8cff:fe4b:15d7/64 Scope:Global
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:308355686 errors:0 dropped:0 overruns:0 frame:0
              TX packets:178763670 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000
              RX bytes:384447335574 (366637.5 Mb)  TX bytes:29044146511 (27698.6 Mb)

    sg135:/root # ip a s dev eth7
    9: eth7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
        link/ether 00:1a:8c:4b:15:d7 brd ff:ff:ff:ff:ff:ff
        inet 192.168.50.99/24 brd 192.168.50.255 scope global eth7
           valid_lft forever preferred_lft forever
        inet6 2a00:6020:15ee:af00:21a:8cff:fe4b:15d7/64 scope global
           valid_lft forever preferred_lft forever
        inet6 fe80::21a:8cff:fe4b:15d7/64 scope link
           valid_lft forever preferred_lft forever

     

    I only changed the mtu size on the tunnel endpoints

  • In reply to Duff11:

    I'm out of questions.  What does Sophos Support have to say about this?

    MfG - Bob (Bitte auf Deutsch weiterhin.)

  • In reply to BAlfson:

    I do Not have a valid subscription for Support (only for license) :(

  • In reply to Duff11:

    What happens if you use IPv4 instead of IPv6?

    MfG - Bob (Bitte auf Deutsch weiterhin.)

  • In reply to BAlfson:

    That is Not possible. I have a IPv6 Connection from deutsche Glasfaser with no direct ipv4 Access.

  • In reply to Duff11:

    Is this the case on both sides, or is the other side having to use 4-to-6?

    Cheers - Bob

  • In reply to BAlfson:

    Yes. Both sides habe the same Internet Access and Provider.

  • In reply to Duff11:

    I have done another test with Linux clients at the Tunnel endpoints. They use nfs for file transfer. I have also start a tcpdump for sniffing.

    I can see  strange Message in the dump which I can Not Interpret.

     

    I have attached a dump file which is splitted (linxu split command) in several files and zipped for uploading (max uplaod size is 1 MB).

     

    xaa.zipxab.zipxac.zipxad.zipxae.zipxaf.zipxag.zipxah.zipxai.zipxaj.zipxak.zip