[GLLUG] VPNs (nearly off topic)

James Courtier-Dutton james.dutton at gmail.com
Wed Oct 31 22:21:47 UTC 2018

On Wed, 31 Oct 2018 at 16:46, Peter Grant via GLLUG <
gllug at mailman.lug.org.uk> wrote:

> Hi all,
> This is nearly off topic, but since the VPNs are between two PFSense
> firewalls, I guess it might just squeeze in.
> I have two PFSense firewalls, one in the UK and one in Thailand. I
> have a need encrypted networking between them (to protect
> communication between Windows boxes).
> I've managed to get an IPSec tunnel established, but with major packet
> loss over it (30% or so), which is obviously unworkable.
> Any suggestions to either reduce the packet loss or a different VPN
> technology that will cope better with the distance/latency involved?
> Ideally something PFSense will support, we have several OpenVPN
> tunnels and IPSec tunnels running already for other uses, so might
> slightly prefer one of those.
> I did disable the Dead peer detection system which improved the
> performance, but it's still not good enough for use.
> Thanks for reading and for any advice you might have,
> Peter


I agree that this is off topic for Linux, but I also have some 20 years
TCP/IP networking experience, so I thought I would suggest some ideas.
With VPNs, then configured wrongly, can cause something called "black hole
This is where packets of particular sizes get dropped.
E.g. Packets of sizes up until 1000 bytes pass OK, bytes of size 1001-1010
fail, and then bytes larger than 1011 are fine.
Which size packet that gets lost varies depending on the configuration, but
it is normally around between 1400 and 1500.

A way to test this is to send ICMP ping packets though the link, starting
small size, and progressively getting larger, until about 2000 Bytes.
Then see if ones of a particular size fail to get through.
On a properly working link, all the packets should get through.
On a link with the "black hole" problem, some packets of particular sizes
will never get through.
If your link has a "black hole" problem, one possible solution is lowering
the MTU on the ethernet interfaces. Sometimes this fixes the problem,
sometimes, all it does is move the "black hole" to a different size.

So, have a test, and tell me what you find.
On linux, you can use "ping -s ..."  to set the packet size.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.lug.org.uk/pipermail/gllug/attachments/20181031/32e12bde/attachment.html>

More information about the GLLUG mailing list