IPSEC OSPF issues

Hey, I’ve gotten some amazing help here before, so I thought I’d ask if anyone might be able to assist me in troubleshooting a connection issue.

I’ve got two networks connected using IPSec VPN and with OSPF. Everything works - the problem is that routing is sometimes a little laggy… What I do most is connect to my remote servers over SSH, and if I run a “large” command, with a little bit of output - such as for example ‘history’, the sessions hangs seemingly forever and I have to start a new session. The new session works flawlessly every time.

I have not seen this issue with SFTP for whatever reason, but I do get the same issues with certain websites loaded inside my network. i.e. loading proxmox gui requires multiple reloads. It seems to help to ping and ncat the ports before trying to open the website - but it is very much hit and miss.

When it works, it works amazingly. I’m just not sure where/how to troubleshoot.

Right:

set protocols ospf area 1 network '169.254.0.0/24'
set protocols ospf area 1 network '10.1.3.0/24'
set protocols ospf area 1 network '10.1.4.0/24'
set protocols ospf area 1 virtual-link x.x.x.x
set protocols ospf interface tun0 authentication md5 key-id 1 md5-key '12345'
set protocols ospf interface tun0 dead-interval '40'
set protocols ospf interface tun0 hello-interval '10'
set protocols ospf interface tun0 network 'point-to-point'
set protocols ospf interface tun0 priority '1'
set protocols ospf interface tun0 retransmit-interval '5'
set protocols ospf interface tun0 transmit-delay '1'
set protocols ospf parameters router-id '10.1.0.1'

set vpn ipsec esp-group ESPG1 lifetime '3600'
set vpn ipsec esp-group ESPG1 mode 'tunnel'
set vpn ipsec esp-group ESPG1 proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESPG1 proposal 1 hash 'sha512'
set vpn ipsec ike-group IKEG1 close-action 'restart'
set vpn ipsec ike-group IKEG1 dead-peer-detection action 'restart'
set vpn ipsec ike-group IKEG1 dead-peer-detection interval '15'
set vpn ipsec ike-group IKEG1 dead-peer-detection timeout '30'
set vpn ipsec ike-group IKEG1 ikev2-reauth
set vpn ipsec ike-group IKEG1 key-exchange 'ikev2'
set vpn ipsec ike-group IKEG1 lifetime '28800'
set vpn ipsec ike-group IKEG1 proposal 1 dh-group '21'
set vpn ipsec ike-group IKEG1 proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKEG1 proposal 1 hash 'sha512'
set vpn ipsec interface 'pppoe0'
set vpn ipsec site-to-site peer LEFT authentication local-id 'RIGHT'
set vpn ipsec site-to-site peer LEFT authentication mode 'rsa'
set vpn ipsec site-to-site peer LEFT authentication remote-id 'LEFT'
set vpn ipsec site-to-site peer LEFT authentication rsa local-key 'ipsec-RIGHT'
set vpn ipsec site-to-site peer LEFT authentication rsa remote-key 'ipsec-LEFT'
set vpn ipsec site-to-site peer LEFT connection-type 'initiate'
set vpn ipsec site-to-site peer LEFT default-esp-group 'ESPG1'
set vpn ipsec site-to-site peer LEFT ike-group 'IKEG1'
set vpn ipsec site-to-site peer LEFT local-address 'any'
set vpn ipsec site-to-site peer LEFT remote-address 'x.x.x.x'
set vpn ipsec site-to-site peer LEFT tunnel 1 local prefix '192.168.99.2/32'
set vpn ipsec site-to-site peer LEFT tunnel 1 remote prefix '192.168.99.1/32'

Left

set protocols ospf area 0 network '10.1.10.0/24'
set protocols ospf area 1 network '169.254.0.0/30'
set protocols ospf area 1 virtual-link 10.1.0.1
set protocols ospf interface tun0 authentication md5 key-id 1 md5-key '12345'
set protocols ospf interface tun0 dead-interval '40'
set protocols ospf interface tun0 hello-interval '10'
set protocols ospf interface tun0 network 'point-to-point'
set protocols ospf interface tun0 priority '1'
set protocols ospf interface tun0 retransmit-interval '5'
set protocols ospf interface tun0 transmit-delay '1'
set protocols ospf log-adjacency-changes
set protocols ospf parameters router-id 'x.x.x.x'
set protocols static route 0.0.0.0/0 next-hop x.x.x.z

set vpn ipsec esp-group ESPG1 lifetime '3600'
set vpn ipsec esp-group ESPG1 mode 'tunnel'
set vpn ipsec esp-group ESPG1 proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESPG1 proposal 1 hash 'sha512'
set vpn ipsec ike-group IKEG1 close-action 'restart'
set vpn ipsec ike-group IKEG1 dead-peer-detection action 'restart'
set vpn ipsec ike-group IKEG1 dead-peer-detection interval '15'
set vpn ipsec ike-group IKEG1 dead-peer-detection timeout '30'
set vpn ipsec ike-group IKEG1 ikev2-reauth
set vpn ipsec ike-group IKEG1 key-exchange 'ikev2'
set vpn ipsec ike-group IKEG1 lifetime '28800'
set vpn ipsec ike-group IKEG1 proposal 1 dh-group '21'
set vpn ipsec ike-group IKEG1 proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKEG1 proposal 1 hash 'sha512'
set vpn ipsec interface 'eth0'
set vpn ipsec site-to-site peer RIGHT authentication local-id 'LEFT'
set vpn ipsec site-to-site peer RIGHT authentication mode 'rsa'
set vpn ipsec site-to-site peer RIGHT authentication remote-id 'RIGHT'
set vpn ipsec site-to-site peer RIGHT authentication rsa local-key 'ipsec-LEFT'
set vpn ipsec site-to-site peer RIGHT authentication rsa remote-key 'ipsec-RIGHT'
set vpn ipsec site-to-site peer RIGHT connection-type 'initiate'
set vpn ipsec site-to-site peer RIGHT default-esp-group 'ESPG1'
set vpn ipsec site-to-site peer RIGHT ike-group 'IKEG1'
set vpn ipsec site-to-site peer RIGHT local-address 'x.x.x.x'
set vpn ipsec site-to-site peer RIGHT remote-address 'some.url.co'
set vpn ipsec site-to-site peer RIGHT tunnel 1 local prefix '192.168.99.1/32'
set vpn ipsec site-to-site peer RIGHT tunnel 1 remote prefix '192.168.99.2/32'

Problems is present only for traffic to remote sites? Or also to internet?
At first, feels like a tcp mss issue: PPPoE — VyOS 1.4.x (sagitta) documentation

Internet is fine, just to my remote site.

Edit: also I already have:

set interfaces pppoe pppoe0 ip adjust-mss '1452'

In my local config. Not on the remote site though, as it has a public IP and does not use pppoe.

Your comment got me to check if tunnel needed the same setting, Tunnel — VyOS 1.4.x (sagitta) documentation which it does! Thank you so much!

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.