Hello, I need some help using squid browsing through a ipsec-isakmp tunnel. We have been using squid internally now for quite a while and recently implemented a ipsec-isakmp tunnel to manage one of our customers services remotely (via http), the way its setup is as follows; 192.168.2.0/24 Network (local lan) _[ Squid ]____________________________________ | | Dial-On-Demand |___________ _ _ _ _ _ _ [ ipsec-isakmp tunnel ] _ _ _ _ _ _________ | | _[ Workstations ]______|_______________________ ____________________|_________________ 192.168.1.0/24 Network (local lan) 192.168.102.160/32 Network (customer lan) Our workstations are on the internal 192.168.1.0 network and the way the tunnel is setup it the remote router will only accept connections from our 192.168.2.0 network (due to another company using their 1.0 network). We have moved our proxy server to the 2.0 network (192.168.2.220) and the traffic through squid on this network seems fine outbound to the internet but through the tunnel it is quite slow, if we remove the proxy server from IE settings and go direct to the 192.168.102.0 network the speed is increased dramatically, we are unsure if this has something to-do with the configuration of squid or the fact that the web service on the remote site we are trying to view contains POST data and java data, could you please help and if I can provide any debugs I will be more than willing. Many Thanks Darren Squid Configuration; cat squid.conf # Squid Configuration File 02/11/06 http_port 3128 ssl_unclean_shutdown off icp_port 0 mcast_groups none udp_incoming_address 0.0.0.0 udp_outgoing_address 255.255.255.255 icp_query_timeout 0 maximum_icp_query_timeout 2000 mcast_icp_query_timeout 2000 dead_peer_timeout 10 seconds hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY cache_mem 10 MB cache_swap_low 90 cache_swap_high 95 maximum_object_size 4096 KB minimum_object_size 0 KB maximum_object_size_in_memory 8 KB ipcache_size 1024 ipcache_low 90 ipcache_high 95 fqdncache_size 1024 cache_replacement_policy heap LFUDA memory_replacement_policy heap LFUDA cache_dir ufs /var/cache/squid 15000 16 256 cache_access_log /var/log/squid/access.log cache_log /var/log/squid/cache.log cache_store_log /var/log/squid/store.log emulate_httpd_log off log_ip_on_direct on mime_table /etc/squid/mime.conf log_mime_hdrs off pid_filename /var/run/squid.pid debug_options ALL,1 log_fqdn off client_netmask 255.255.255.255 hosts_file /etc/hosts diskd_program /usr/lib/squid/diskd-daemon unlinkd_program /usr/lib/squid/unlinkd auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 15 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 5 auth_param basic realm Direct Visual auth_param basic credentialsttl 5 hours authenticate_cache_garbage_interval 1 hour authenticate_ttl 1 hour authenticate_ip_ttl 0 seconds refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 quick_abort_min 16 KB quick_abort_max 16 KB quick_abort_pct 95 read_ahead_gap 16 KB acl all src 192.168.0.0/255.255.0.0 acl tms src 192.168.1.215/255.255.255.255 acl tms src 192.168.1.216/255.255.255.255 acl tms src 192.168.1.217/255.255.255.255 acl tms src 192.168.1.218/255.255.255.255 acl tms src 192.168.1.219/255.255.255.255 acl tms src 192.168.1.1/255.255.255.255 acl tms src 192.168.1.2/255.255.255.255 acl tms src 192.168.1.3/255.255.255.255 acl tms src 192.168.1.4/255.255.255.255 acl tms src 192.168.1.5/255.255.255.255 acl tms src 192.168.1.6/255.255.255.255 acl tms src 192.168.1.7/255.255.255.255 acl tms src 192.168.1.8/255.255.255.255 acl tms src 192.168.1.9/255.255.255.255 acl tms src 192.168.1.10/255.255.255.255 acl tms src 192.168.1.11/255.255.255.255 acl tms src 192.168.1.12/255.255.255.255 acl tms src 192.168.1.13/255.255.255.255 acl tms src 192.168.1.14/255.255.255.255 acl tms src 192.168.1.15/255.255.255.255 acl tms src 192.168.1.16/255.255.255.255 acl tms src 192.168.1.17/255.255.255.255 acl tms src 192.168.1.18/255.255.255.255 acl tms src 192.168.1.19/255.255.255.255 acl xxxtms dst 192.168.102.160/255.255.255.255 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl purge method PURGE acl CONNECT method CONNECT acl NTLMUsers proxy_auth REQUIRED acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 901 # SWAT acl bad_sites url_regex -i myspace .premiumtv .youtube .connextra .spikedhumor .doubleclick.net .flashtalking.com .photobucket.com files.ea.com .allofmp3.com adserver.adtech.de the-cloak http_access allow xxxtms NTLMUsers http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access deny purge http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow tms http_access deny bad_sites http_access allow all NTLMUsers http_access allow localhost http_access deny all http_reply_access allow all icp_access allow all cache_effective_user squid cache_effective_group squid coredump_dir /var/cache/squid max_open_disk_fds 0 offline_mode off uri_whitespace strip nonhierarchical_direct on prefer_direct off strip_query_terms off redirector_bypass off ignore_unknown_nameservers on digest_generation on digest_bits_per_entry 5 digest_rebuild_period 1 hour digest_rewrite_period 1 hour digest_swapout_chunk_size 4096 bytes digest_rebuild_chunk_percentage 10 client_persistent_connections on server_persistent_connections on persistent_connection_after_error off detect_broken_pconn off balance_on_multiple_ip on pipeline_prefetch off request_entities off high_response_time_warning 0 high_page_fault_warning 0 high_memory_warning 0 store_dir_select_algorithm least-load ie_refresh off vary_ignore_expire off sleep_after_fork 0 minimum_expiry_time 60 seconds relaxed_header_parser on deny_info ERR_ACCESS_DENIED bad_sites ----------------------------------------------------------------------------------------------------------------------- Direct Visual Ltd is registered in the UK, reg. no: 03018453 Direct Visual Ltd, The Gateway, Lowfields Close, Lowfields Business Park, Elland, West Yorkshire, HX5 9DX STRICTLY CONFIDENTIAL. The contents of this email and any attachments are strictly confidential and may contain privileged information. If you are not the named addressee(s), any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is strictly prohibited. If this message has been sent to you in error, please inform the sender immediately and delete this email and any copies (including attachments), from your system. Any views or opinions expressed in this message are those of the author and do not necessarily represent those of Direct Visual or any of its subsidiaries or affiliates. No reliance may be placed on this message without written confirmation from an authorised representative of its contents. Internet communications are not secure and therefore Direct Visual does not accept legal responsibility for the contents of this message. All emails sent and received by Direct Visual are virus checked with the latest available anti-virus systems, you should take whatever measures you deem to be appropriate to ensure that this email is virus free. Direct Visual reserves the right to monitor the content of all emails sent and received via its network for the purposes of ensuring compliance with its policies and procedures.