IPSEC VPN passthrough

[ij4xs]

Does anyone else here use an IPSEC VPN software client or device?

 

I have a Cisco Meraki Z1 for connecting to work that isn't able to maintain the VPN when running through the Netduma R1. I worked with Fraser over twitter and we found that I would need to put the Z1 in front of the R1 to be able to access work resources. My issue here is that the Z1 tracks all web activity and I don't need work following my every shot in Destiny, Halo, or CS:GO.

 

For the interim I have a Netgear R8500 running as my main device with my gaming behind the R1 and work behind the Z1. I really want the R1 to be my main device.

 

As a side note, disabling the VPN in the R1 the setting never stayed disabled and after a reset the VPN page doesn't load.

[Netduma Iain]

Hi Jaxs, can you try going to "Congestion Control" page and changing the algorithm from preemptive to reactive. Does that help?

[ij4xs]

Hi Iain, I have had Congestion Control set to reactive as part of getting 120+ mbps throughput. 

[zerosignal0]

I have this exact same issue with my ipsec vpn (disconnect inc) client on the iphone.  I to enable reactive to achieve maximum throughput in normal operation.  I believe this algorithm disrupts the handshake required to enable the vpn in certain situations.  Strangely enough it seems that the disconnect client on the PC functions without issues, however I believe it configures tunneling differently than the IOS client.  

 

At any rate, I would imagine this could potentially be something solved with a patch, if the admins were so inclined to check it out. 

[pggbee]

Not sure if this is a related issue, but I was having trouble reaching hosts behind my work VPN (cisco ipsec) until I switched the CC algorithm to preemptive. 

 

I had previously had it set to reactive because my internet connection is 100+ Mb/s but that's what was interfering w/ the VPN traffic. 

 

My setup is: Modem > R1 > Nighthawk (AP mode)

 

The VPN clients could initiate the VPN connection just fine, but any requests to hosts behind that connection would go absolutely nowhere.

[ij4xs]

I really want to run my network with the netduma right after the modem, but I've got 125 mbps down and can't afford to limit that as my family are heavy users.

 

Here's what I want to do:

modem > R1 > Nighthawk in AP mode

                      > work-VPN-Device

 

Here's how I have it now

modem > Nighthawk > R1

                                 > work-VPN-Device

 

I'll test this tonight with the netduma on preemtive and see what happens. (I'll not be putting the R1 right after the modem so that no one else gets kicked off the internet)

modem > Nighthawk > R1 > work-VPN-Device

[PharmDawgg]

Don't do preemptive because I can pretty much guarantee you that it will lower your bandwidth.

[ij4xs]

Oh, I know for sure using preemptive will lower my bandwidth. I'll not be keeping it that way. 

[pggbee]

Yeah, in my case preemptive definitely lowered my bandwidth. But having a working VPN connection is more important than bandwidth; at least during my work hours. 

 

I'd prefer to not have to do this workaround, but since there is no way (that I know of) for end-users to debug the R1, I'm not sure what else I can do.

[Netduma Fraser]

Let us know what you find!

[Netduma Fraser]

Yeah, in my case preemptive definitely lowered my bandwidth. But having a working VPN connection is more important than bandwidth; at least during my work hours. 

 

I'd prefer to not have to do this workaround, but since there is no way (that I know of) for end-users to debug the R1, I'm not sure what else I can do.

 

We can potentially look into this, I'll see if Iain can take a look when he is available.

[pggbee]

We can potentially look into this, I'll see if Iain can take a look when he is available.

Very much appreciated! Let me know if I can provide anything helpful on my end (testing / logs).

[ij4xs]

Well, it certainly works fine running preemtive congestion control. As soon as I set it to reactive the VPN dies. And I'm maxing down 35 mbps. X-D

[pggbee]

Well, it certainly works fine running preemtive congestion control. As soon as I set it to reactive the VPN dies. And I'm maxing down 35 mbps. X-D

I know that's less than ideal. But I'm glad we at least have a way of connecting to our work VPNs. Let's hope there will be some clarification as to why reactive cc is killing our VPN traffic/connections.

[Netduma Fraser]

I've passed this to Iain to see if he can offer any insight

[Netduma Iain]

Hi,

 

Very cool to see people using the router for different functionality.

 

I haven't looked at ipsec since a brief stint in ungrad days, but reactive algorithm is just codel. It essentially drops packets at a probabilistic rate if they exceed the rate specified by anti-flood for a small duration. 

 

Can you try setting anti-flood to 100% each way, to disable congestion control. Does the problem stop? If so that will confirm that packet dropping is the problem. Unfortunately if it is there is not much you can do as most algorithms in the world use that as congestion indicator. 

[ij4xs]

I made sure that download and upload cap were both at 100% and the IPSEC tunnel still isn't able to connect under reactive control. I'm OK with you checking the router out if you'd like to see what's going on. Let me know and I'll put the VPN device on the R1 and PM you my public IP.

[ij4xs]

Any word on this one?

[pggbee]

Checking in now that 1.03.6 is out. There was nothing in the release notes about this issue, so I didn't expect anything different. Still, I'd like to put it out there that cisco ipsec vpn connections don't work when the r1 is in "reactive" mode.

 

Also worth noting, @blackJaxs has a vpn hardware gateway where as I am using a software client (vpnc). Either way, the protocol is the same and the results seem to be the same for both of us.

 

It's not a big deal for me to put the r1 in "preemptive" mode during the day while I work, so this isn't a deal breaker for me. Just making sure it's documented more-or-less.

[Netduma Fraser]

Thanks for getting back to us. From reading what Iain has said above doesn't seem like we can do much when reactive is being used but I will confirm this with him.