Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 58 replies
  • Answers 2 answers
  • Subscribers 42 subscribers
  • Views 57007 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Site-to-Site Tunnel mit IPSec - Durchsatz nur 4 kB/s

Duff11

Hallo zusammen,

ich habe zwischen zwei Standorten mit einer SG115 und SG135 eine IPSec Verbindung über IPv6 eingerichtet. Ein Anschluß hat 100Mbit/s Down/Up und der andere hat 200Mbit down/up. Ein ping zwischen beiden UTM's dauert ca. 8ms. Das Einbinden von Freigaben und anschließende Kopieren dauert ewig. Es werden nur 4 kB/s angezeigt.

Leider habe ich keine Idee mehr, wo ich ansetzen soll.

 

Übersicht der IPSec VErbindung in der Site-to-Site Übersicht:

SA: 192.168.30.0/24=2a00:xxxxx   2a00:xxxxx=192.168.1.0/24
VPN ID: 2a00:xxxxxx
IKE: Auth PSK / Enc AES_CBC_256 / Hash HMAC_MD5 / Lifetime 7800s / DPD
ESP: Enc AES_CBC_256 / Hash HMAC_MD5 / Lifetime 3600s
 
   

 

 

Danke!



This thread was automatically locked due to age.
  • 0

    Im Logfile ipsec.log steht noch folgendes

    <pre>

    2018:07:17-20:36:12 sg115 pluto[16946]: "S_REF_IpsSitAtoB_0" #1441: starting keying attempt 1392 of an unlimited number
    2018:07:17-20:36:12 sg115 pluto[16946]: "S_REF_IpsSitAtoB_0" #1442: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP to replace #1441 {using isakmp#13
    43}
    2018:07:17-20:36:12 sg115 pluto[16946]: "S_REF_IpsSitAtoB_0" #1343: ignoring informational payload, type INVALID_ID_INFORMATION
    2018:07:17-20:36:22 sg115 pluto[16946]: "S_REF_IpsSitAtoB_0" #1343: ignoring informational payload, type INVALID_MESSAGE_ID
    2018:07:17-20:36:37 sg115 pluto[16946]: "S_REF_IpsSitAtoB_0" #1443: initiating Main Mode to replace #1343
    2018:07:17-20:36:37 sg115 pluto[16946]: "S_REF_IpsSitAtoB_0" #1443: received Vendor ID payload [strongSwan]
    2018:07:17-20:36:37 sg115 pluto[16946]: "S_REF_IpsSitAtoB_0" #1443: ignoring Vendor ID payload [Cisco-Unity]
    2018:07:17-20:36:37 sg115 pluto[16946]: "S_REF_IpsSitAtoB_0" #1443: received Vendor ID payload [XAUTH]
    2018:07:17-20:36:37 sg115 pluto[16946]: "S_REF_IpsSitAtoB_0" #1443: received Vendor ID payload [Dead Peer Detection]
    2018:07:17-20:36:37 sg115 pluto[16946]: "S_REF_IpsSitAtoB_0" #1443: received Vendor ID payload [RFC 3947]
    2018:07:17-20:36:37 sg115 pluto[16946]: "S_REF_IpsSitAtoB_0" #1443: enabling possible NAT-traversal with method 3
    2018:07:17-20:36:37 sg115 pluto[16946]: "S_REF_IpsSitAtoB_0" #1443: NAT-Traversal: Result using RFC 3947: no NAT detected
    2018:07:17-20:36:37 sg115 pluto[16946]: "S_REF_IpsSitAtoB_0" #1443: Peer ID is ID_IPV6_ADDR: 'xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx'
    2018:07:17-20:36:37 sg115 pluto[16946]: "S_REF_IpsSitAtoB_0" #1443: Dead Peer Detection (RFC 3706) enabled
    2018:07:17-20:36:37 sg115 pluto[16946]: "S_REF_IpsSitAtoB_0" #1443: ISAKMP SA established
    2018:07:17-20:36:42 sg115 pluto[16946]: "S_REF_IpsSitAtoB_0" #1343: ignoring informational payload, type INVALID_MESSAGE_ID
    2018:07:17-20:37:22 sg115 pluto[16946]: "S_REF_IpsSitAtoB_0" #1442: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable resp
    onse to our first Quick Mode message: perhaps peer likes no proposal
    2018:07:17-20:37:22 sg115 pluto[16946]: "S_REF_IpsSitAtoB_0" #1442: starting keying attempt 1393 of an unlimited number
    2018:07:17-20:37:22 sg115 pluto[16946]: "S_REF_IpsSitAtoB_0" #1444: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP to replace #1442 {using isakmp#14
    43}
    2018:07:17-20:37:22 sg115 pluto[16946]: "S_REF_IpsSitAtoB_0" #1443: ignoring informational payload, type INVALID_ID_INFORMATION
    2018:07:17-20:37:32 sg115 pluto[16946]: "S_REF_IpsSitAtoB_0" #1443: ignoring informational payload, type INVALID_MESSAGE_ID
    2018:07:17-20:37:52 sg115 pluto[16946]: "S_REF_IpsSitAtoB_0" #1443: ignoring informational payload, type INVALID_MESSAGE_ID
    2018:07:17-20:38:32 sg115 pluto[16946]: "S_REF_IpsSitAtoB_0" #1444: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable resp
    onse to our first Quick Mode message: perhaps peer likes no proposal

    </pre>

  • 0 in reply to Duff11

    Niemand eine Idee?

    Werden eventuell noch weitere Informationen benötigt...

     

    Habe auf beiden Seiten bei IPSec eingestellt, dass eine Verbindung initiiert werden soll (und nicht einmal respond only). Wie gesagt, ein ping funktioniert einwandfrei. Das Übertragen von Daten leider überhaupt nicht ;-(

  • 0 in reply to Duff11

    Entschuldige mich für Englishe Antwort, mein Deutsch ist nicht so gut:

    Do you also use Intrusion Protection? If so try to see what throughput is when you disable this (or make an exception for it for traffic inside the tunnel).

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • 0 in reply to apijnappels

    Hi,

     

    thanks for your answer.

    I already disable Intrusion Detection on one site. Im not sure if I also disable it on the other site.

    I will check and give a feedback.

     

    Regards

  • 0 in reply to Duff11

    Same result after disabling Intrusion Detection.

    Any other ideas?

     

    I have seen that there are two tun1 interfaces.

    One for IPv4 and one for IPv6. Both are for different use (OpenVPN for IPv4 and IPSec for deticated IPv6).

    Is that a problem?

  • 0 in reply to Duff11

    Are both interfaces called tun1 ? that sounds odd, I would expect them to have each a unique name.

    However I don't really have any other ideas for now, maybe someone else can shed some extra light on this situation.

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • 0 in reply to apijnappels

    I do a tcpdump on one of the machines and I see this:

    truncated-ip6 - 22052 bytes missing!7f0x:xxxx:xxxx:xxxx:c0a8:1402:1bd:a83d > xxxx:f13:xxxx:xxxxx:xxxx:ff:f2bf:0: ip-proto-64 23402

     

    What does that mean? Problem with windows size?

  • 0 in reply to Duff11

    Hat niemand mehr eine Idee?

    Werden mehr Informationen benötigt?

     

  • 0

    Evtl mag dein ISP nicht den ganzen Overhead und du könntest mal gucken was passiert wenn du die MTU für den tunnel was nach unten drehst?

  • 0 in reply to Nap

    Oder liegt es vielleicht sogar am Routing?

     

    ICh baue die IPSec-Verbindung zwischen den beiden UTMs über eine feste IPv6 auf.

    Anschließend möchte ich mit den Netzen dahinter per IPv4 kommunizieren.

     

     

    Anbei nochmal das Logfile. Wenn ich es richtig verstehe, wird der Tunnel aufgebaut. Ein ping funktioniert wunderbar. Nur ein Zugriff auf Daten will nicht wirklich ...

     

    2018:07:28-13:48:18 sg115 ipsec_starter[24137]: Starting strongSwan 4.4.1git20100610 IPsec [starter]...
    2018:07:28-13:48:18 sg115 pluto[24154]: Starting IKEv1 pluto daemon (strongSwan 4.4.1git20100610) THREADS VENDORID CISCO_QUIRKS
    2018:07:28-13:48:18 sg115 ipsec_starter[24147]: pluto (24154) started after 20 ms
    2018:07:28-13:48:19 sg115 pluto[24154]: loaded plugins: curl ldap aes des blowfish serpent twofish sha1 sha2 md5 random x509 pubkey pkcs1 pgp dnskey pem sqlite hmac gmp xauth attr attr-sql resolve
    2018:07:28-13:48:19 sg115 pluto[24154]:   including NAT-Traversal patch (Version 0.6c)
    2018:07:28-13:48:19 sg115 pluto[24154]: Using Linux 2.6 IPsec interface code
    2018:07:28-13:48:19 sg115 pluto[24154]: loading ca certificates from '/etc/ipsec.d/cacerts'
    2018:07:28-13:48:19 sg115 pluto[24154]:   loaded ca certificate from '/etc/ipsec.d/cacerts/REF_CaVerVpnSigniCaSun2.pem'
    2018:07:28-13:48:19 sg115 pluto[24154]:   loaded ca certificate from '/etc/ipsec.d/cacerts/REF_CaVerVpnSigniCaSun.pem'
    2018:07:28-13:48:19 sg115 pluto[24154]:   loaded ca certificate from '/etc/ipsec.d/cacerts/REF_CaSigVpnSigniCa.pem'
    2018:07:28-13:48:19 sg115 pluto[24154]: loading aa certificates from '/etc/ipsec.d/aacerts'
    2018:07:28-13:48:19 sg115 pluto[24154]: loading ocsp certificates from '/etc/ipsec.d/ocspcerts'
    2018:07:28-13:48:19 sg115 pluto[24154]: Changing to directory '/etc/ipsec.d/crls'
    2018:07:28-13:48:19 sg115 pluto[24154]: loading attribute certificates from '/etc/ipsec.d/acerts'
    2018:07:28-13:48:19 sg115 pluto[24154]: adding interface tun0/tun0 10.10.30.1:500
    2018:07:28-13:48:19 sg115 pluto[24154]: adding interface tun0/tun0 10.10.30.1:4500
    2018:07:28-13:48:19 sg115 pluto[24154]: adding interface eth2/eth2 192.168.10.1:500
    2018:07:28-13:48:19 sg115 pluto[24154]: adding interface eth2/eth2 192.168.10.1:4500
    2018:07:28-13:48:19 sg115 pluto[24154]: adding interface eth1/eth1 192.168.3.1:500
    2018:07:28-13:48:19 sg115 pluto[24154]: adding interface eth1/eth1 192.168.3.1:4500
    2018:07:28-13:48:19 sg115 pluto[24154]: adding interface eth0/eth0 192.168.1.1:500
    2018:07:28-13:48:19 sg115 pluto[24154]: adding interface eth0/eth0 192.168.1.1:4500
    2018:07:28-13:48:19 sg115 pluto[24154]: adding interface lo/lo 127.0.0.1:500
    2018:07:28-13:48:19 sg115 pluto[24154]: adding interface lo/lo 127.0.0.1:4500
    2018:07:28-13:48:19 sg115 pluto[24154]: adding interface eth1/eth1 2yyyy:yyyy::yyyy:500
    2018:07:28-13:48:19 sg115 pluto[24154]: adding interface lo/lo ::1:500
    2018:07:28-13:48:19 sg115 pluto[24154]: loading secrets from "/etc/ipsec.secrets"
    2018:07:28-13:48:19 sg115 pluto[24154]:   loaded PSK secret for 2yyyy:yyyy::yyyy 2xxx:xxxx::xxxx
    2018:07:28-13:48:19 sg115 pluto[24154]: listening for IKE messages
    2018:07:28-13:48:19 sg115 pluto[24154]: added connection description "IpSitA2B0"
    2018:07:28-13:48:19 sg115 pluto[24154]: "IpSitA2B0" #1: initiating Main Mode
    2018:07:28-13:48:19 sg115 pluto[24154]: added connection description "IpSitA2B1"
    2018:07:28-13:48:19 sg115 pluto[24154]: "IpSitA2B0" #1: received Vendor ID payload [strongSwan]
    2018:07:28-13:48:19 sg115 pluto[24154]: "IpSitA2B0" #1: ignoring Vendor ID payload [Cisco-Unity]
    2018:07:28-13:48:19 sg115 pluto[24154]: "IpSitA2B0" #1: received Vendor ID payload [XAUTH]
    2018:07:28-13:48:19 sg115 pluto[24154]: "IpSitA2B0" #1: received Vendor ID payload [Dead Peer Detection]
    2018:07:28-13:48:19 sg115 pluto[24154]: "IpSitA2B0" #1: received Vendor ID payload [RFC 3947]
    2018:07:28-13:48:19 sg115 pluto[24154]: "IpSitA2B0" #1: enabling possible NAT-traversal with method 3
    2018:07:28-13:48:19 sg115 pluto[24154]: "IpSitA2B0" #1: NAT-Traversal: Result using RFC 3947: no NAT detected
    2018:07:28-13:48:19 sg115 pluto[24154]: "IpSitA2B0" #1: Peer ID is ID_IPV6_ADDR: '2xxx:xxxx::xxxx'
    2018:07:28-13:48:19 sg115 pluto[24154]: "IpSitA2B0" #1: Dead Peer Detection (RFC 3706) enabled
    2018:07:28-13:48:19 sg115 pluto[24154]: "IpSitA2B0" #1: ISAKMP SA established
    2018:07:28-13:48:19 sg115 pluto[24154]: "IpSitA2B1" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using isakmp#1}
    2018:07:28-13:48:19 sg115 pluto[24154]: "IpSitA2B0" #3: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using isakmp#1}
    2018:07:28-13:48:19 sg115 pluto[24154]: id="2203" severity="info" sys="SecureNet" sub="vpn" event="Site-to-site VPN up" variant="ipsec" connection="REF_IpsSitA2B" address="2yyyy:yyyy::yyyy" local_net="192.168.1.0/24" remote_net="192.168.30.0/24"
    2018:07:28-13:48:19 sg115 pluto[24154]: "IpSitA2B1" #2: sent QI2, IPsec SA established {ESP=>0x7ff2410a <0x9d06f096 DPD}
    2018:07:28-13:48:19 sg115 pluto[24154]: "IpSitA2B0" #1: ignoring informational payload, type INVALID_ID_INFORMATION
    2018:07:28-13:48:28 sg115 pluto[24154]: "IpSitA2B0" #1: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0xd9eea003) not found (maybe expired)
    2018:07:28-13:48:28 sg115 pluto[24154]: packet from 2xxx:xxxx::xxxx:500: received Vendor ID payload [strongSwan]
    2018:07:28-13:48:28 sg115 pluto[24154]: packet from 2xxx:xxxx::xxxx:500: ignoring Vendor ID payload [Cisco-Unity]
    2018:07:28-13:48:28 sg115 pluto[24154]: packet from 2xxx:xxxx::xxxx:500: received Vendor ID payload [XAUTH]
    2018:07:28-13:48:28 sg115 pluto[24154]: packet from 2xxx:xxxx::xxxx:500: received Vendor ID payload [Dead Peer Detection]
    2018:07:28-13:48:28 sg115 pluto[24154]: packet from 2xxx:xxxx::xxxx:500: received Vendor ID payload [RFC 3947]
    2018:07:28-13:48:28 sg115 pluto[24154]: packet from 2xxx:xxxx::xxxx:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
    2018:07:28-13:48:28 sg115 pluto[24154]: packet from 2xxx:xxxx::xxxx:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
    2018:07:28-13:48:28 sg115 pluto[24154]: packet from 2xxx:xxxx::xxxx:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
    2018:07:28-13:48:28 sg115 pluto[24154]: packet from 2xxx:xxxx::xxxx:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
    2018:07:28-13:48:28 sg115 pluto[24154]: "IpSitA2B1" #4: responding to Main Mode
    2018:07:28-13:48:28 sg115 pluto[24154]: "IpSitA2B1" #4: NAT-Traversal: Result using RFC 3947: no NAT detected
    2018:07:28-13:48:28 sg115 pluto[24154]: "IpSitA2B1" #4: Peer ID is ID_IPV6_ADDR: '2xxx:xxxx::xxxx'
    2018:07:28-13:48:28 sg115 pluto[24154]: "IpSitA2B1" #4: Dead Peer Detection (RFC 3706) enabled
    2018:07:28-13:48:28 sg115 pluto[24154]: "IpSitA2B1" #4: sent MR3, ISAKMP SA established
    2018:07:28-13:48:28 sg115 pluto[24154]: "IpSitA2B1" #5: responding to Quick Mode
    2018:07:28-13:48:28 sg115 pluto[24154]: "IpSitA2B1" #5: IPsec SA established {ESP=>0x2870b384 <0x6c26ef33 DPD}
    2018:07:28-13:48:29 sg115 pluto[24154]: "IpSitA2B0" #1: ignoring informational payload, type INVALID_MESSAGE_ID
    2018:07:28-13:48:49 sg115 pluto[24154]: "IpSitA2B0" #1: ignoring informational payload, type INVALID_MESSAGE_ID
    2018:07:28-13:49:29 sg115 pluto[24154]: "IpSitA2B0" #3: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
    2018:07:28-13:49:29 sg115 pluto[24154]: "IpSitA2B0" #3: starting keying attempt 2 of an unlimited number
    2018:07:28-13:49:29 sg115 pluto[24154]: "IpSitA2B0" #6: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP to replace #3 {using isakmp#4}
    2018:07:28-13:49:29 sg115 pluto[24154]: "IpSitA2B1" #4: next payload type of ISAKMP Hash Payload has an unknown value: 54
    2018:07:28-13:49:29 sg115 pluto[24154]: "IpSitA2B1" #4: malformed payload in packet
    2018:07:28-13:49:39 sg115 pluto[24154]: "IpSitA2B1" #4: ignoring informational payload, type INVALID_MESSAGE_ID
    2018:07:28-13:49:59 sg115 pluto[24154]: "IpSitA2B1" #4: ignoring informational payload, type INVALID_MESSAGE_ID
    2018:07:28-13:50:39 sg115 pluto[24154]: "IpSitA2B0" #6: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
    2018:07:28-13:50:39 sg115 pluto[24154]: "IpSitA2B0" #6: starting keying attempt 3 of an unlimited number
    2018:07:28-13:50:39 sg115 pluto[24154]: "IpSitA2B0" #7: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP to replace #6 {using isakmp#4}
    2018:07:28-13:50:39 sg115 pluto[24154]: "IpSitA2B1" #4: next payload type of ISAKMP Hash Payload has an unknown value: 221
    2018:07:28-13:50:39 sg115 pluto[24154]: "IpSitA2B1" #4: malformed payload in packet
    2018:07:28-13:50:49 sg115 pluto[24154]: "IpSitA2B1" #4: ignoring informational payload, type INVALID_MESSAGE_ID
    2018:07:28-13:51:09 sg115 pluto[24154]: "IpSitA2B1" #4: ignoring informational payload, type INVALID_MESSAGE_ID
    2018:07:28-13:51:49 sg115 pluto[24154]: "IpSitA2B0" #7: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
    2018:07:28-13:51:49 sg115 pluto[24154]: "IpSitA2B0" #7: starting keying attempt 4 of an unlimited number
    2018:07:28-13:51:49 sg115 pluto[24154]: "IpSitA2B0" #8: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP to replace #7 {using isakmp#4}
    2018:07:28-13:51:49 sg115 pluto[24154]: "IpSitA2B1" #4: next payload type of ISAKMP Hash Payload has an unknown value: 157
    2018:07:28-13:51:49 sg115 pluto[24154]: "IpSitA2B1" #4: malformed payload in packet
    2018:07:28-13:51:59 sg115 pluto[24154]: "IpSitA2B1" #4: ignoring informational payload, type INVALID_MESSAGE_ID
    2018:07:28-13:52:19 sg115 pluto[24154]: "IpSitA2B1" #4: ignoring informational payload, type INVALID_MESSAGE_ID
    2018:07:28-13:52:59 sg115 pluto[24154]: "IpSitA2B0" #8: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal

Unfiltered HTML