[ale] VPN's

Steve Tynor tynor at outside.atlanta.twr.com
Tue May 25 10:15:13 EDT 1999 

I'm sending this in frustration, hoping that someone on the list has had 
a similar experience and has found a working solution.

We're trying to set up a VPN between our Atlanta, Austin and Canadian
offices. Each office is running a private 10.0.1.* network, with a Linux
2.0.36 masquerading firewall.

We've tried the following: CIPE 1.0.1, CIPE 1.3pre1, VPS 2.0, and even a
homebrewed script running ppp over ssh (similar to what VPS is doing).

Each work to a point.  The tunnels from Atlanta to Canada have been
pretty reliable - no matter which tunnel technique is used.  The
Atlanta/Austin tunnels, however, are universally unreliable.  They'll
hang, drop connection, have generally poor throughput, etc.  We can't
even get some protocols to work (e.g. cvs pserver didn't work at all
over CIPE 1.3, even though ftp and telnet seemed to be marginally
usable).  Yet a simple ssh terminal connection between the two offices
seems to be pretty solid.  Why would ppp over ssh be any less reliable?
To get ppp to work at all well, we had to enable software flow control
and tell ppp to use a low "baudrate". Seems pretty bogus to me, but it
helped.

We're often seeing some pretty significant (10-15%) packet loss between
Atlanta and Austin, but since we're basing that on "ping" and traceroute
responses, I'm not really sure how much weight to give that (ICMP
packets are usually pretty low priority, so a router could drop them
even if passing all other packets, right?)  Neither our Atlanta
(comstar.net) nor Austin (jump.net) ISPs say that can see any network
related problem that should be affecting the VPN, yet Atlanta<->Canada
(home.com) works OK while Atlanta<->Austin doesn't.  Makes me suspect
some sort of router problem in between, but I don't know enough to know
what sort of questions to ask, what sort of diagnostics to run.

I suppose IPsec/Swan is next on our list, but I'm growing weary.  Can
anyone out there let me know of something you're using reliably for
round the clock connectivity between two sites that are being served by
different ISP's (traceroute shows about 10 hops between our two
firewalls -- 'course there's about the same number of hops from Atlanta
to Canada and that's been pretty d*mn reliable).

The HOWTO's (e.g. http://metalab.unc.edu/LDP/HOWTO/mini/VPN.html) are
pretty cavalier about troubleshooting this sort of stuff. We've tried
all we can think of and still don't understand why the links are so
unreliable.

Help? Thanks!

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
When suddenly -- nothing happened.

Steve Tynor		Email:   Steve.Tynor at atlanta.twr.com
Tower Technology 	WWW:     http://www.twr.com/
Server-Side Java (tm) Performance Experts

More information about the Ale mailing list