New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Download speed seems limitted #442
Comments
@Pouriyahe Hello! VPNs (such as L2TP/IPsec) have overhead due to packet encapsulation and encryption/decryption. It is normal to have lower throughput compare to connections without VPN. The alternative connection mode, IPsec/XAuth [1], has lower overhead compared to L2TP/IPsec, which you can try to see if the throughput improves. Regarding Windows 10 1803, can you try appending [1] https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients-xauth.md |
If you think you are limited by resources, try using aes_gcm (in IKEv2)
as it is at least twice as fast as aes-shaX.
But usually speed issues are caused by packet sizes or fragmentation issues
or replay window.
You can try adding mtu=1350 to see if that would help you. It should
cause packets to be smaller.
Another fix can be to use TCPMSS:
https://libreswan.org/wiki/FAQ#My_ssh_sessions_hang_or_connectivity_is_very_slow
Or if you are on high speed links (1gbps or more) and see a low speed, try:
replay-window=0
If that helps, you know it is due to the speed and replay window size.
Try to enable it again though, since it is a useful feature. See if
setting it to 64 or 128 will be enough.
Paul
|
@hwdsl2 Thanks for responding. |
@Pouriyahe To fix the Android IPsec/XAuth issue (and possibly also the Windows 10 issue), change Windows error 789 may be caused by incorrect IPsec pre-shared key (PSK) (mismatched with the server) in your VPN connection settings. Please double check. Let us know if this fix works. [1] https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#android-6-and-above |
Try pinging with a ping app to 1.1.1.1. (The cloudflare dns ip). If that works the IPsec SA is up. Try http://1.1.1.1 to see if your tcp works and perhaps you only have a dns issue.
It would be best to try and use IKEv2 or IKEv1/XAUTH instead of l2tp/ipsec due to the additional headaches of l2tp using transport mode.
Windows has a lot of issues. IKEv2 Fragmentation is only supported as of Windows 10 April 2018 build. If you see issues when using LTE/4g/5g, try updating to the latest win10.
Another known issue is reconnecting not working, see this techinline blog
The most compatible ike/esp lines to support Apple, android with strongswan and Windows is:
ike=aes256-sha2_512;modp2048,aes128-sha2_512;modp2048,aes256-sha2;modp1024,aes128-sha1;modp1024
esp=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes128-sha2_512,aes256-sha2_256,aes128-sha2_256,aes128-sha1,aes256-sha1
…Sent from my phone
On Sep 11, 2018, at 10:47, Pouriyahe ***@***.***> wrote:
@hwdsl2 Thanks for responding.
trying IPsec/XAuth on Android does not help since it says "connected" but there seems to be no internet connection wahtsoever.
About win 10 , appending ,aes256-sha2_256 to the end of the phase2alg line in /etc/ipsec.conf and restarting did not solve the problem but the error message has now changed to : "the L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer"
@letoams
TCPMSS seems to be improving the download speed but it didn't solve the whole issue.
thanks again.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.
|
On Sep 11, 2018, at 10:55, Lin Song ***@***.***> wrote:
[1] https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#android-6-and-above
Ohh, I didn’t know about backwards compatibility mode! I’ll add it to the libreswan documentation too.
Thanks!
|
So, |
@Pouriyahe You’re welcome! Glad to hear that the Android IPsec/XAuth worked and the throughput improved. The issue you mentioned where you can no longer connect with L2TP through your router, is because you first used XAuth mode on your phone to connect, and because many Android clients do not properly delete the IPsec SA on disconnect, the VPN server “remembers” the XAuth mode from that IP address, and will not allow L2TP clients to connect from that same IP. To fix it, simply run “service ipsec restart” on your VPN server, or alternatively, reboot your server. This issue could also resolve itself after a few minutes without restarting. The Shrew Soft VPN client is outdated and may not work on Windows 10 (not officially supported). |
- Add troubleshooting sections for Windows 10 version 1803 and macOS IPsec/L2TP mode "Send all traffic" - Cleanup - Ref: hwdsl2#442 hwdsl2#376
- Add troubleshooting sections for Windows 10 version 1803 and macOS IPsec/L2TP mode "Send all traffic" - Cleanup - Ref: hwdsl2#442 hwdsl2#376
- Add troubleshooting sections for Windows 10 version 1803 and macOS IPsec/L2TP mode "Send all traffic" - Cleanup - Ref: hwdsl2#442 hwdsl2#376
Hi
thanks for your wonderful effort.
my main problem is when I connect to L2TP/ipsec on Android download speed is very low but upload speed is OK. the server has a DL speed of 607 Mbps and UL 250 Mbps and the client has DL 25 Mbps and UL 15 Mbps but when connected to vpn client's DL speed seems to be limited to 1.2 Mbps while UL speed is up to 13 Mbps.
I have also a side issues that I don't really care about but it would be great if that could be solved as well :
windows 10 1803 won't connect to L2TP despite the reg fix and everything I could find online.
The text was updated successfully, but these errors were encountered: