IPSEC VPN not allowing files transfers over ~230mb

As the title says, IPSEC VPN drops connection/stops transferring a file when it reaches around 230mb. In the process of troubleshooting, I setup another IPSEC VPN at another location and attempted the same file download. And once again, it stopped at 230mb. The VPN said I was still connected in Windows 11, but the IPSEC server says I am disconnected. This was tested on 2 different versions of IPFIRE:

1st test - IPFire 2.27 (x86_64) - Core-Update 179

2nd test - IPFire 2.29 (x86_64) - Core-Update 198

As I understand it, you are connecting Windows 11 to the IPSEC IPFire server.
Are you using the IPSEC client built into Windows 11?

Regards

I am using Windows 11 built in VPN connection.

Have you reviewed the IPsec logs on IPfire?

obraz315×178 4.62 KB

edit

Just to be sure, is it mb or MB?

I assume 230MB.

How long did the download take—how much time passed from the start of the download to the disconnection?

I have just run some tests, transferring a 1.5GB file. This was done via an IPSec Net-to-Net connection and also via an IPSec Road Warrior connection with both a PSK and a certificate based connection.

The connection for the Road Warrior was using Network Manager with a StrongSwan plugin on a Linux laptop.

In all three cases the 1.5GB file was fully transferred with no interruption. Transfer time was around 2 minutes via a wifi connection from the laptop.

I can’t do a test with a Windows client as I have no Windows systems on my network. There might be some setting in the Windows 11 IPsec client that is causing the problem but other IPSec users that work with windows would need to provide their evaluation input.

The suggestion from @tphz to look at the IPFire IPSec system logs is a good starting point. Also look at the logs of the windows 11 client for any messages when the connection is dropped/stalls. Hopefully there should be some clue in one of those two placers for what is happening.

Yes, it just says client disconnected (but Windows 11 still shown as connected). I have done this on 3 different Windows 11 PCs (at 2 different locations) and all three do the exact same thing, and on 2 different IPSEC VPNs with different hardware.

It very well could be Windows 11, as this is a recent occurrence and has never happened before that I know of. If I can find a Windows 10 PC around I will try that next.

Yes, it is 230MB and took less then 30seconds.

Have you considered migrating to Wireguard?

After some digging and looking at the logs, it appears for some reason Windows 11 re-initiates the VPN connection during the download. I see this pop up in the log:

23:19:45 charon:  14[IKE] no acceptable proposal found 
23:19:45 charon:  14[IKE] failed to establish CHILD_SA, keeping IKE_SA 
23:19:45 charon:  14[ENC] generating CREATE_CHILD_SA response 4 [ N(NO_PROP) ] 
23:19:45 charon:  14[NET] sending packet: from 192.168.1.2[4500] to xx.xx.xx.xx[4500] (65 bytes) 
23:20:05 charon:  10[IKE] sending keep alive to xx.xx.xx.xx[4500] 
23:20:25 charon:  13[IKE] sending keep alive to xx.xx.xx.xx[4500] 
23:20:45 charon:  05[IKE] sending keep alive to xx.xx.xx.xx[4500] 
23:20:45 charon:  07[IKE] sending DPD request 
23:20:45 charon:  07[ENC] generating INFORMATIONAL request 0 [ ] 
23:20:45 charon:  07[NET] sending packet: from 192.168.1.2[4500] to xx.xx.xx.xx[4500] (57 bytes) 
23:20:45 charon:  06[NET] received packet: from xx.xx.xx.xx[4500] to 192.168.1.2[4500] (72 bytes) 
23:20:45 charon:  06[ENC] parsed INFORMATIONAL response 0 [ ] 
23:20:49 charon:  13[NET] received packet: from xx.xx.xx.xx[4500] to 192.168.1.2[4500] (440 bytes) 
23:20:49 charon:  13[ENC] parsed CREATE_CHILD_SA request 5 [ SA No TSi TSr ] 
23:20:49 charon:  13[CFG] received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:NULL/HMAC_SHA1_96/NO_EXT_SEQ 
23:20:49 charon:  13[CFG] configured proposals: ESP:CHACHA20_POLY1305/CURVE_448/NO_EXT_SEQ, ESP:CHACHA20_POLY1305/CURVE_25519/NO_EXT_SEQ, ESP:CHACHA20_POLY1305/ECP_521/NO_EXT_SEQ, ESP:CHACHA20_POLY1305/ECP_384/NO_EXT_SEQ, ESP:CHACHA20_POLY1305/MODP_4096/NO_EXT_SEQ, ESP:CHACHA20_POLY1305/MODP_3072/NO_EXT_SEQ, ESP:CHACHA20_POLY1305/MODP_2048/NO_EXT_SEQ, ESP:CHACHA20_POLY1305/MODP_1024/NO_EXT_SEQ, ESP:CHACHA20_POLY1305/CURVE_448/NO_EXT_SEQ, ESP:CHACHA20_POLY1305/CURVE_25519/NO_EXT_SEQ, ESP:CHACHA20_POLY1305/ECP_521/NO_EXT_SEQ, ESP:CHACHA20_POLY1305/ECP_384/NO_EXT_SEQ, ESP:CHACHA20_POLY1305/MODP_4096/NO_EXT_SEQ, ESP:CHACHA20_POLY1305/MODP_3072/NO_EXT_SEQ, ESP:CHACHA20_POLY1305/MODP_2048/NO_EXT_SEQ, ESP:CHACHA20_POLY1305/MODP_1024/NO_EXT_SEQ, ESP:CHACHA20_POLY1305/CURVE_448/NO_EXT_SEQ, ESP:CHACHA20_POLY1305/CURVE_25519/NO_EXT_SEQ, ESP:CHACHA20_POLY1305/ECP_521/NO_EXT_SEQ, ESP:CHACHA20_POLY1305/ECP_384/NO_EXT_SEQ, ESP:CHACHA20_POLY1305/MODP_4096/NO_EXT_SEQ, ESP:CHACHA20_POLY1305/MODP_3072/NO_EXT_SEQ, ES

And after a bit of pot luck searching I came across this answer from Microsoft:

In Powershell:

Set-VpnConnectionIPsecConfiguration -ConnectionName <String - your VPN connection name> -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES128 -DHGroup Group14 -EncryptionMethod AES128 -IntegrityCheckMethod SHA256 -PfsGroup PFS2048 -Force

Fix for Windows 11 VPN IPSEC Disconnection issues

Once applied, it fixed the issue.