Hey Community,
ich habe aktuell ein seltsames Problem, wo ich vielleicht den ein oder anderen Denkansatz benötige. Habe mir Strongswan auf einem VPS installiert und soweit auch konfiguriert. Verbindungen werden aufgebaut. Jedoch ist die Performance leider eher von der dunklen Seite der Macht... Jedoch nicht überall. Webseiten wie zB ubuntuusers, google, Youtube (1080p Videos getestet) laden sofort und werden vom DNS auch aufgelöst -alles "wie immer". Github & eBay laden nur sehr langsam (~5min. bis vollständig geladen) und rwth-aachen.de wird teilweise vom DNS nicht mal aufgelöst. Wenn dann mal doch, ebenso Ladezeiten um die 5min.
Ein Testdownload von https://speed.hetzner.de/ (1GB.bin) läuft mit ~19kB/s ab.
ipsec.conf:
config setup charondebug="ike 1, knl 1, cfg 0" uniqueids=no conn ikev2-vpn auto=add compress=no type=tunnel keyexchange=ikev2 fragmentation=yes forceencaps=yes ike=aes256-sha1-modp1024,3des-sha1-modp1024! esp=aes256-sha1,3des-sha1! dpdaction=clear dpddelay=300s rekey=no left=%any leftid=54.37.xxx.xxx leftcert=/etc/ipsec.d/certs/vpn-server-cert.pem leftsendcert=always leftsubnet=0.0.0.0/0 right=%any rightid=%any rightauth=eap-mschapv2 rightsourceip=10.10.10.0/24 rightdns=8.8.8.8,8.8.4.4 rightsendcert=never eap_identity=%identity
sysctl.conf:
# # /etc/sysctl.conf - Configuration file for setting system variables # See /etc/sysctl.d/ for additional system variables. # See sysctl.conf (5) for information. # #kernel.domainname = example.com # Uncomment the following to stop low-level messages on console #kernel.printk = 3 4 1 3 ##############################################################3 # Functions previously found in netbase # # Uncomment the next two lines to enable Spoof protection (reverse-path filter) # Turn on Source Address Verification in all interfaces to # prevent some spoofing attacks #net.ipv4.conf.default.rp_filter=1 #net.ipv4.conf.all.rp_filter=1 # Uncomment the next line to enable TCP/IP SYN cookies # See http://lwn.net/Articles/277146/ # Note: This may impact IPv6 TCP sessions too #net.ipv4.tcp_syncookies=1 # Uncomment the next line to enable packet forwarding for IPv4 net.ipv4.ip_forward = 1 # Uncomment the next line to enable packet forwarding for IPv6 # Enabling this option disables Stateless Address Autoconfiguration # based on Router Advertisements for this host #net.ipv6.conf.all.forwarding=1 ################################################################### # Additional settings - these settings can improve the network # security of the host and prevent against some network attacks # including spoofing attacks and man in the middle attacks through # redirection. Some network environments, however, require that these # settings are disabled so review and enable them as needed. # # Do not accept ICMP redirects (prevent MITM attacks) net.ipv4.conf.all.accept_redirects = 0 #net.ipv6.conf.all.accept_redirects = 0 # _or_ # Accept ICMP redirects only for gateways listed in our default # gateway list (enabled by default) # net.ipv4.conf.all.secure_redirects = 1 # # Do not send ICMP redirects (we are not a router) net.ipv4.conf.all.send_redirects = 0 # # Do not accept IP source route packets (we are not a router) #net.ipv4.conf.all.accept_source_route = 0 #net.ipv6.conf.all.accept_source_route = 0 # # Log Martian Packets #net.ipv4.conf.all.log_martians = 1 net.ipv4.ip_no_pmtu_disc = 1 #
iptables:
# Generated by webmin *filter :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] :INPUT DROP [0:0] -A FORWARD -o eth0 -j LOG --log-level 7 --log-prefix BANDWIDTH_OUT: -A FORWARD -i eth0 -j LOG --log-level 7 --log-prefix BANDWIDTH_IN: -A OUTPUT -o eth0 -j LOG --log-level 7 --log-prefix BANDWIDTH_OUT: -A INPUT -i eth0 -j LOG --log-level 7 --log-prefix BANDWIDTH_IN: -A FORWARD -s 10.10.10.0/24 -j ACCEPT --match policy --pol ipsec --dir in --proto esp -A FORWARD -d 10.10.10.0/24 -j ACCEPT --match policy --pol ipsec --dir out --proto esp -A INPUT -i lo -j ACCEPT -A INPUT -m state --state ESTABLISHED -j ACCEPT -A INPUT -m state --state RELATED -j ACCEPT # SSH -A INPUT -p tcp -m tcp --dport 1992 -j ACCEPT # HTTP -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT # HTTPS -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT -A INPUT -p udp -m udp --dport 500 -j ACCEPT -A INPUT -p udp -m udp --dport 4500 -j ACCEPT COMMIT # Completed # Generated by webmin *mangle :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] -A FORWARD -p tcp -m tcp -m tcpmss -s 10.10.10.0/24 -o eth0 --tcp-flags SYN,RST SYN -j TCPMSS --match policy --pol ipsec --dir in --mss 1361:1536 --set-mss 1360 COMMIT # Completed # Generated by webmin *nat :OUTPUT ACCEPT [0:0] :DOCKER - [0:0] :POSTROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :PREROUTING ACCEPT [0:0] -A PREROUTING -m addrtype -j DOCKER --dst-type LOCAL -A OUTPUT -m addrtype ! -d 127.0.0.0/8 -j DOCKER --dst-type LOCAL -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE -A DOCKER -i docker0 -j RETURN -A POSTROUTING -m policy -s 10.10.10.0/24 -o eth0 -j ACCEPT --pol ipsec --dir out -A POSTROUTING -s 10.10.10.0/24 -o eth0 -j MASQUERADE COMMIT # Completed
Log (mehr gibt es tatsächlich nicht, als ich versucht habe verschiedene Seiten aufzurufen):
May 12 16:12:01 webmin charon: 11[NET] received packet: from 88.153.xxx.xxx[48105] to 54.37.xxx.xxx[4500] (76 bytes) May 12 16:12:01 webmin charon: 11[ENC] parsed INFORMATIONAL request 7 [ ] May 12 16:12:01 webmin charon: 11[ENC] generating INFORMATIONAL response 7 [ ] May 12 16:12:01 webmin charon: 11[NET] sending packet: from 54.37.xxx.xxx[4500] to 88.153.xxx.xxx[48105] (76 bytes) May 12 16:16:19 webmin charon: 12[NET] received packet: from 88.153.xxx.xxx[48105] to 54.37.xxx.xxx[4500] (460 bytes) May 12 16:16:19 webmin charon: 12[ENC] parsed CREATE_CHILD_SA request 8 [ N(REKEY_SA) SA No TSi TSr ] May 12 16:16:19 webmin charon: 12[IKE] CHILD_SA ikev2-vpn{3} established with SPIs ca75fbdc_i de818e76_o and TS 0.0.0.0/0 === 10.10.10.1/32 May 12 16:16:19 webmin charon: 12[ENC] generating CREATE_CHILD_SA response 8 [ SA No TSi TSr ] May 12 16:16:19 webmin charon: 12[NET] sending packet: from 54.37.xxx.xxx[4500] to 88.153.xxx.xxx[48105] (204 bytes) May 12 16:16:19 webmin charon: 06[NET] received packet: from 88.153.xxx.xxx[48105] to 54.37.xxx.xxx[4500] (76 bytes) May 12 16:16:19 webmin charon: 06[ENC] parsed INFORMATIONAL request 9 [ D ] May 12 16:16:19 webmin charon: 06[IKE] received DELETE for ESP CHILD_SA with SPI 73db21dc May 12 16:16:19 webmin charon: 06[IKE] closing CHILD_SA ikev2-vpn{3} with SPIs c2ea95b9_i (18733249 bytes) 73db21dc_o (156086043 bytes) and TS 0.0.0.0/0 === 10.10.10.1/32 May 12 16:16:19 webmin charon: 06[IKE] sending DELETE for ESP CHILD_SA with SPI c2ea95b9 May 12 16:16:19 webmin charon: 06[IKE] CHILD_SA closed May 12 16:16:19 webmin charon: 06[ENC] generating INFORMATIONAL response 9 [ D ] May 12 16:16:19 webmin charon: 06[NET] sending packet: from 54.37.xxx.xxx[4500] to 88.153.xxx.xxx[48105] (76 bytes)
Kann es sein, dass nicht alle Verbindungen getunnelt werden und nur die, die es werden, so langsam sind?
-Client ist Win 10 1803.
Habt ihr eine Idee, woran dies liegen könnte?
Danke & Gruß nessor