ISP marking ipsec traffic based on certificate, how is this possible?
Hello list, I have a site-to-site ipsec vpn with strongswan. It was working well for 5-6 months then a day ago I have noticed something strange, that from Site-A to Site-B (tunnel mode) only the upload bandwidth is capped down to 20-30kbit/s inside the VPN. I have tried various apps like ftp, scp on different ports it was the same result. I also ran speedtest/wget on both endpoints just to make sure that not the entire connection of those networks are capped. Since outside parties cannot see anything from what's going on inside the tunnel, first I was thinking that they started limiting the traffic based on port (4500 udp) or based on protocol (ESP), that is easy to do. In older versions of strongswan it's not possible to change the charon nat port (probably wouldn't work anyway since most of the traffic should be ESP (protocol 50)). I have restarted the strongswan daemon on both endpoints multiple times it did not change the situation (the bandwidth limiting was still present). So my last idea was to make new vpn certificates. For my biggest surprise with the new certificates the capping was gone and the bandwidth went back to normal. I hope I don't have to put the old certs back from backup just to make a point. One of the ISPs must started tagging the ipsec traffic based on the certificate and then do traffic shaping (QoS) on it to throttle down the bandwidth. How is this even possible? I was thinking that an ipsec connection is encrypted and random from the beginning. How can they define a pattern to their whatever device to be able to mark this specific traffic? Is there a part at the beginning of the connection sequence which is always the same with using the same certificate? Do I have to worry about here that my vpn keys got compromised? Anybody ever experienced this? Thanks!
Sure your VPN tunnel wasn't 'stuck' flowing through a less than optimal or saturated ISP upstream transit peer? Sometimes, just restarting your VPN may force the traffic through a different path in your ISP's network and clear up an issue. We manage many customer IPsec tunnels, hit similar situations where a restart works the best especially when the issue is not in under your control. Sincerely, Nick Ellermann – CTO & VP Cloud Services BroadAspect E: nellermann@broadaspect.com P: 703-297-4639 F: 703-996-4443 THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Mark Zimmer Sent: Thursday, December 17, 2015 4:29 AM To: nanog@nanog.org Subject: ISP marking ipsec traffic based on certificate, how is this possible? Hello list, I have a site-to-site ipsec vpn with strongswan. It was working well for 5-6 months then a day ago I have noticed something strange, that from Site-A to Site-B (tunnel mode) only the upload bandwidth is capped down to 20-30kbit/s inside the VPN. I have tried various apps like ftp, scp on different ports it was the same result. I also ran speedtest/wget on both endpoints just to make sure that not the entire connection of those networks are capped. Since outside parties cannot see anything from what's going on inside the tunnel, first I was thinking that they started limiting the traffic based on port (4500 udp) or based on protocol (ESP), that is easy to do. In older versions of strongswan it's not possible to change the charon nat port (probably wouldn't work anyway since most of the traffic should be ESP (protocol 50)). I have restarted the strongswan daemon on both endpoints multiple times it did not change the situation (the bandwidth limiting was still present). So my last idea was to make new vpn certificates. For my biggest surprise with the new certificates the capping was gone and the bandwidth went back to normal. I hope I don't have to put the old certs back from backup just to make a point. One of the ISPs must started tagging the ipsec traffic based on the certificate and then do traffic shaping (QoS) on it to throttle down the bandwidth. How is this even possible? I was thinking that an ipsec connection is encrypted and random from the beginning. How can they define a pattern to their whatever device to be able to mark this specific traffic? Is there a part at the beginning of the connection sequence which is always the same with using the same certificate? Do I have to worry about here that my vpn keys got compromised? Anybody ever experienced this? Thanks!
If you’re using certificates, It could be possible you may have changed your VPN from IPSEC to SSLVPN. In which case it now runs over TCP port 443. So maybe they’re not doing traffic shaping on TCP 443. James On 18/12/2015 2:21 pm, "Nick Ellermann" <nellermann@broadaspect.com> wrote:
Sure your VPN tunnel wasn't 'stuck' flowing through a less than optimal or saturated ISP upstream transit peer? Sometimes, just restarting your VPN may force the traffic through a different path in your ISP's network and clear up an issue. We manage many customer IPsec tunnels, hit similar situations where a restart works the best especially when the issue is not in under your control.
Sincerely, Nick Ellermann – CTO & VP Cloud Services BroadAspect
E: nellermann@broadaspect.com P: 703-297-4639 F: 703-996-4443
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Mark Zimmer Sent: Thursday, December 17, 2015 4:29 AM To: nanog@nanog.org Subject: ISP marking ipsec traffic based on certificate, how is this possible?
Hello list,
I have a site-to-site ipsec vpn with strongswan. It was working well for 5-6 months then a day ago I have noticed something strange, that from Site-A to Site-B (tunnel mode) only the upload bandwidth is capped down to 20-30kbit/s inside the VPN. I have tried various apps like ftp, scp on different ports it was the same result. I also ran speedtest/wget on both endpoints just to make sure that not the entire connection of those networks are capped.
Since outside parties cannot see anything from what's going on inside the tunnel, first I was thinking that they started limiting the traffic based on port (4500 udp) or based on protocol (ESP), that is easy to do.
In older versions of strongswan it's not possible to change the charon nat port (probably wouldn't work anyway since most of the traffic should be ESP (protocol 50)). I have restarted the strongswan daemon on both endpoints multiple times it did not change the situation (the bandwidth limiting was still present).
So my last idea was to make new vpn certificates. For my biggest surprise with the new certificates the capping was gone and the bandwidth went back to normal. I hope I don't have to put the old certs back from backup just to make a point.
One of the ISPs must started tagging the ipsec traffic based on the certificate and then do traffic shaping (QoS) on it to throttle down the bandwidth. How is this even possible? I was thinking that an ipsec connection is encrypted and random from the beginning. How can they define a pattern to their whatever device to be able to mark this specific traffic? Is there a part at the beginning of the connection sequence which is always the same with using the same certificate?
Do I have to worry about here that my vpn keys got compromised?
Anybody ever experienced this?
Thanks!
participants (3)
-
Mark Zimmer
-
Nick Ellermann
-
Tin, James