IPSEC Through SFC

lee.cheung · October 17, 2025, 2:38pm

Hi Guys,

Very strange one i cannot explain, but maybe someone can support or suggest something to look at…

We have a SFC tunnel and an IPSEC tunnel successfully running through the SFC bonding… generally everything is working well, however when trying to access the Web interface of a remote device (GNSS Receiver), just for remote management, through the IPSEC, in the SFC tunnel… the web page doesnt open… however remove the peplink device and just use the customer FW with the IPSEC vpn only (No SFC) then the web interface is fine… its strange since SFC shouldnt be able to see or affect anything in the IPSEC tunnel… most parameters are default

MarceloBarros · October 17, 2025, 2:57pm

Hi, @lee.cheung

I do this… but using ZeroTier and works well.

Talking about your topology…
The ipsec tunnel ip?
They are exclusive for the vpn tunnel?

lee.cheung · October 20, 2025, 10:10am

Hi!

Thanks for the post, how are you using ZeroTier? We have the Speedfusion VPN to Speedfusion connect, the customer is connecting their fortigate firewall on the B One LAN and its creating an IPSEC VPN through SFC to their other site (Non peplink). weirdly the web interface of a device is not accessible, doesnt load correctly, through the ipsecVPN, but remove the peplink device /SFC Tunnel and the web interface works thought he IPSEC VPN, feels like some packets might be getting mangled and the Web Interface isnt handling it… i’d tried enabling FEC on the SFC, but this hasnt improved anything

MarceloBarros · October 20, 2025, 12:19pm

Hi, @lee.cheung

ZeroTier is working great… not packet loss.

ZeroTier:
ping 192.168.13.1 -c 5
PING 192.168.13.1 (192.168.13.1): 56 data bytes
64 bytes from 192.168.13.1: seq=0 ttl=64 time=273.539 ms
64 bytes from 192.168.13.1: seq=1 ttl=64 time=277.148 ms
64 bytes from 192.168.13.1: seq=2 ttl=64 time=270.919 ms
64 bytes from 192.168.13.1: seq=3 ttl=64 time=279.972 ms
64 bytes from 192.168.13.1: seq=4 ttl=64 time=255.784 ms

— 192.168.13.1 ping statistics —
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 255.784/271.472/279.972 ms

IPSEC
I will build a ipsec configuration with IPSEC at my lab and I will post results here.

ping 192.168.7.1 -c 5
PING 192.168.7.1 (192.168.7.1): 56 data bytes
64 bytes from 192.168.7.1: seq=0 ttl=64 time=47.059 ms
64 bytes from 192.168.7.1: seq=1 ttl=64 time=33.240 ms
64 bytes from 192.168.7.1: seq=2 ttl=64 time=45.694 ms
64 bytes from 192.168.7.1: seq=3 ttl=64 time=41.555 ms
64 bytes from 192.168.7.1: seq=4 ttl=64 time=44.935 ms

— 192.168.7.1 ping statistics —
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 33.240/42.496/47.059 ms

Peplink outbound

RUT240 (Zerotier) → LAN → BR1hw3 → INTERNET → SFC → INTERNET → ZeroTier → RUTX12 (Zerotier)

RUT240 (IPSEC) → LAN → BR1hw3 → INTERNET → SFC → INTERNET → Firewall (IPSEC)

bryn.loftus · October 23, 2025, 5:30am

It’s probably MTU path discovery going wrong- test the max packet size through the tunnel, and set MTU and/or MSS clamp