Speed over IKEv2 VPN
Here's a scenario. Office has 100x100 Mbps fiber connection. I did a remote desktop session to employee laptop over IKEv2 VPN and test their broadband speed. I'm getting 800+ Mbps down and 40+ Mbps up. I thought IKEv2 VPN offers full tunneling. Force all client traffic through the tunnel is selected. If traffic goes thru 100x100 connection, how does it get faster than 800 Mbps on the laptop (at employee's home)?
0
Sign In to comment.
Comments
Forgot to mention the device is M270 running version 12.10.1
Magic???
What tool are you using to test the speed?
Chrome browser on the laptop.
So you were testing the speed that the remote laptop was getting to the Internet, which is not YOUR 100x100 Mbps fiber connection, but the ISP connection at the remote site, correct?
That's right. If all traffic goes through the VPN tunnel, won't that get capped to the slowest speed which is 100 Mbps in this case?
100 down & 40 up would be the caps for the remote user to access your site.
Right but how does speed test get 800+ accessing the test site over VPN? Does speed test traffic not go through the tunnel? Does it go directly from laptop to the test site? If so, isn't that split tunnel?
It doesn't. The speed test is ONLY for the connection from the remote end to the Internet over the remote end's ISP connection.
Presumably you have set up a split tunnel for the VPN connection, with only data to/from your site going over the client VPN.
So "Force all client traffic through the tunnel" does not really mean full tunneling? If so, how exactly do you configure IKEv2 full tunneling?
The IKEv2 client is installed by a user, possibly using the script from a WG firewall admin, and can be set up in split tunnel mode.
I was able to modify my pre-Fireware v10.9 IKEv2 setup after initial installation to set up split tunneling.
And I did set up a IKEv2 setup to connect to my WG firewall manually - not using the predefined script, by reviewing Microsoft docs on how to set up IKEv2, also pre-Fireware v10.9.
The symptoms that you see, strongly suggest that IKEv2 on the user's PC is running split tunneling on the IKEv2 client.
Internet Access Through a Mobile VPN with IKEv2 Tunnel
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/mvpn/ikev2/mvpn_ikev2_internet_access.html
I'm the one who installed IKEv2 client on the laptop using the script. I have just double checked laptop IKEv2 IPv4 settings. "Use default gateway on remote network" is the default setting. I've never touched that since I installed IKEv2 VPN.
I highly doubt this (full tunneling) is working as intended.
The only way that I can find to identify if the IKEv2 is set up for split tunnel or for Force all on the client end, it to look at the routing table once the IKEv2 is connected.
In Windows, do a route print command in a CMD box to see the routing table.
Time for a support case.
Let us know what you find out if you open one.
Any chance speed test traffic goes through IPv6 connection directly from laptop to test site? I never setup my M270 IPv6.
No idea. But I wouldn't think so.
Packet captures on the client should show what is going on.
I just remote desktop to the laptop and double check IPv6. It's unchecked. I'm not using IPv6 at all.
I did another speed test today. The result looks normal now, under 100 Mbps both direction (70 Mbps down and 12 Mbps up). Not sure how I got 800+ Mbps the other day.
Something weird is happening on the laptop. User complains about VPN getting disconnected every few minutes. That's how I got into troubleshooting and stumble into unusual broadband speed. VPN connection is back to normal now. All I did was roll back WiFi driver to an older version.
It's a mystery