[GLLUG] VPNs (nearly off topic)

Peter Grant grantpe at gmail.com
Thu Nov 1 12:00:10 UTC 2018 

On Wed, 31 Oct 2018 at 22:21, James Courtier-Dutton
<james.dutton at gmail.com> wrote:
>
> On Wed, 31 Oct 2018 at 16:46, Peter Grant via GLLUG <gllug at mailman.lug.org.uk> wrote:
>>
>> Hi all,
>> This is nearly off topic, but since the VPNs are between two PFSense
>> firewalls, I guess it might just squeeze in.
>>
>> I have two PFSense firewalls, one in the UK and one in Thailand. I
>> have a need encrypted networking between them (to protect
>> communication between Windows boxes).
>>
>> I've managed to get an IPSec tunnel established, but with major packet
>> loss over it (30% or so), which is obviously unworkable.
>>
>> Any suggestions to either reduce the packet loss or a different VPN
>> technology that will cope better with the distance/latency involved?
>> Ideally something PFSense will support, we have several OpenVPN
>> tunnels and IPSec tunnels running already for other uses, so might
>> slightly prefer one of those.
>>
>> I did disable the Dead peer detection system which improved the
>> performance, but it's still not good enough for use.
>>
>> Thanks for reading and for any advice you might have,
>> Peter
>
>
> Hi,
>
> I agree that this is off topic for Linux, but I also have some 20 years TCP/IP networking experience, so I thought I would suggest some ideas.
> With VPNs, then configured wrongly, can cause something called "black hole packets".
> This is where packets of particular sizes get dropped.
> E.g. Packets of sizes up until 1000 bytes pass OK, bytes of size 1001-1010 fail, and then bytes larger than 1011 are fine.
> Which size packet that gets lost varies depending on the configuration, but it is normally around between 1400 and 1500.
>
> A way to test this is to send ICMP ping packets though the link, starting small size, and progressively getting larger, until about 2000 Bytes.
> Then see if ones of a particular size fail to get through.
> On a properly working link, all the packets should get through.
> On a link with the "black hole" problem, some packets of particular sizes will never get through.
> If your link has a "black hole" problem, one possible solution is lowering the MTU on the ethernet interfaces. Sometimes this fixes the problem, sometimes, all it does is move the "black hole" to a different size.
>
> So, have a test, and tell me what you find.
> On linux, you can use "ping -s ..."  to set the packet size.
>
>
>
>
>
>
>
>
>
>

Hi James,

Sadly I don't see the problem related to specific packet size - just
done some tests to confirm but it seems to be random irrelvant of
packet size - sometimes it'll be fine, but most of the time even just
a ping at a single size will have loads of packet loss.

Good suggestion and definitely not something I've seen happening
before - certain will be checking for in future.

Thanks,
Peter

More information about the GLLUG mailing list