VPN

We have two locations, each running m0n0wall 1.22 on WRAP boards. The m0n0wall itself seems to be running fine, and is stable and reliable.

We've create an IPSec tunnel between the two locations, and traffic is passing from network to network properly.

There is, however, a problem with performance. When accessing a server app at the local location, performance of the client is very good. When accessing the same server app over a PPTP tunnel from a remote laptop, performance of the client is very good. When accessing the same server app from the remote network via the IPSec tunnel, performance is terrible.

In testing, we've opened the server ports up to the internet and accessed the app via the net, circumventing the tunnel. Performance is what we expect.

Both nets are connected to the internet via T1, so we should be getting decent performance. As I've mentioned, if I connect to the net where the server resides via PPTP, I get the performance I expect. It's only when the traffic is routing over the IPSec tunnel that things suffer.

At this point, this issue has become critical. Any and all suggestions are welcome. Additionally, I'd be happy to pay someone as a consultant to look at our m0n0wall configuration(s) and recommend changes to support our application.

TIA for any help.

Chris

Chris,

I'm having no performance problems with any of my IPSEC tunnels. My basic config looks like this:

<tunnel>
 <interface>wan</interface>
 <local-subnet>
 <network>lan</network>
 </local-subnet>
 <remote-subnet>10.1.1.0/24</remote-subnet>
 <remote-gateway>69.70.71.72</remote-gateway>
 <p1>
 <mode>aggressive</mode>
 <myident>
 <fqdn>my-domain.com</fqdn>
 </myident>
 <encryption-algorithm>blowfish</encryption-algorithm>
 <hash-algorithm>sha1</hash-algorithm>
 <dhgroup>2</dhgroup>
 <lifetime>86400</lifetime>
 <pre-shared-key>A-Very-Long-Password-Goes-Here!</pre-shared-key>
 <private-key/>
 <cert/>
 <peercert/>
 <authentication_method>pre_shared_key</authentication_method>
 </p1>
 <p2>
 <protocol>esp</protocol>
 <encryption-algorithm-option>blowfish</encryption-algorithm-option>
 <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
 <pfsgroup>2</pfsgroup>
 <lifetime>43200</lifetime>
 </p2>
 <descr>Tunnel Disc Goes Here</descr>
</tunnel>

Would be glad to take a quick look at yours if you still need help.

Roy...

Tonight, I'll compare this config with mine and let you know of any differences. What version of m0n0wall are you running?

:c:

1.23 and 1.3b2

My best guess is a MTU issue. If you lower the MTU on one client machine to 1400, does that machine then perform as you would expect?

I would also check the "Allow fragmented IPsec packets" box in the Advanced Setup screen.

Roy...

After turning on 'Allow Fragmented Packets', per Roy's suggestion, a new behaviour:

1) The client application on the remote network still performs very poorly.

But:

2) If you open a web browser that connects to a somewhat flash laden web site on the main network, and then run the client app, the client app runs 'normally', with 'normal' performance.

Weird.

what sort of encryption are you using. and what bit level did you set it to. Blowfish is a strong and fast encryption, but moves slow on generating keys. Also the hardware will have an effect on performance will your VPN's. Not sure if you have herd of PFsense, but it is based off of monowall and has alot of VPN encryption features. I use it in some locations connecting to monowall boxes accross full frame relay T1's and the performance is great. Good enough to send 32 security cameras worth of video in real time to a remote site PC.