Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mcdaniels
New Contributor

Created on ‎04-13-2015 11:07 AM

Ipsec Site 2 Site VPN - slow performance and malformed packets (Wireshark)

Hi folks,

I have got a IPSEC Site 2 Site VPN between 2 Fortigate Appliances:

 

1x Fortigate 60D connected to the Internet 12/12 Mbit: v5.0,build0310 (GA Patch 11)

1x Fortigate 100D connected to the Internet 20/20 Mbit: v5.0,build0310 (GA Patch 11)

 

We have got a Database Application running which transfers a small amount of data through the tunnel (a few MB for login for example). Although the speed of the connection is not that slow, it lasts 2 minutes until we get the loginscreen.

 

So I started Wireshark and got the following capture (log.jpg).

 

Really don't know why there are malformed packets with IPA Protocol (192.168.10.248 is the databaseserver IP). Is Wireshirk missinterpreting the protocol eventually?

 

VPN Phase 1:

Remote Gateway static IP Mode: Main

Preshared Key

Accept any peer ID

Enable IPSec Interface Mode: NO

IKE Version 1

P1 Proposal 1 - Encryption AES 256 Authentication SHA1

DH Group 5

Keylife 28800

Xauth Disable

NAT Traversal Enable

Keepalive Freq. 10

 

VPN Phase 2: P2 Proposal 1 - Encryption AES256 Authentication SHA1

Enable Replaydetection YES

Enable prefect forward secrecy PFS YES

DH Group 5

Keylife Seconds 1800

Auto Keep Alive Enable

Quick Mode Selector Source and Destination Adress specified

 

I have no idea what is causing the slow down... :(

 

Any hints are welcome!

 

Daniel

 

 

 

 

Preview file
95 KB
17519
0 Kudos
10 REPLIES 10
mas1971
New Contributor III
In response to emnoc

Created on ‎09-28-2015 04:49 AM

emnoc wrote:

diag vpn ipsec status

 

BTW: I'm really surprised that fritzbox didn't have  ikev2 support. I would thought the 7490s would have it by now.

here is the result: I would say: the configuration is in the right way.

 

	aes:	321920	252672
	aria:	0	0
	seed:	0	0
	null:	0	0
	md5:	0	0
	sha1:	1300864	1207168
	sha256:	0	0
	sha384:	0	0
	sha512:	0	0
NPU HARDWARE
	null:	0	0
	des:	0	0
	3des:	23326	0
	aes:	6032	0
	aria:	0	0
	seed:	0	0
	null:	0	0
	md5:	0	0
	sha1:	29358	0
	sha256:	0	0
	sha384:	0	0
	sha512:	0	0
CP0:
	null:	0	0
	des:	0	0
	3des:	24	29
	aes:	22	33
	aria:	0	0
	seed:	0	0
	null:	0	0
	md5:	0	0
	sha1:	46	62
	sha256:	0	0
	sha384:	0	0
	sha512:	0	0
SOFTWARE:
	null:	0	0
	des:	0	0
	3des:	0	0
	aes:	0	0
	aria:	0	0
	seed:	0	0
	null:	0	0
	md5:	0	0
	sha1:	0	0
	sha256:	0	0
	sha384:	0	0
	sha512:	0	0
 

 

BTW:There are a lot of people waiting for IKEv2 Support in Fritz OS. But there is sill no announcement.

Best wishes out of Germany
Best wishes out of Germany
861
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.