[Openswan Users] Openswan, ADSL and slow connections

Andrej Trobentar andrej.trobentar at rikom.si
Fri Nov 11 10:30:26 CET 2005 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello all,


I have the following scenario :

client ---- fw1 ------<internet>----- fw2 ---- camera


IPs are following :
client - 192.168.15.11
fw1   -- 192.168.15.1 (internal)
      \- 193.2.211.10 (public)

fw2   -- 192.168.0.1 (internal)
      \- 193.95.248.223 (public)
camera - 192.168.0.61

- -> fw1 and fw2 are both using openswan 2.4.2dr5 on kernel 2.4.31
- -> fw1 is connected to internet through fiber optic
- -> fw2 is connected to internet through ADSL modem (rp-pppoe 3.6)


I'm accessing the camera throught the web browser from client. Now to my
problem :

1) If I connect to the camera through the tunnel established from client
"ssh -L 6666:camera:80 <fw2 IP>" and point the browser to
"http://localhost:6666" the bandwith usage is about 35 KB/s (according
to iptraf of fw2) and I can watch the camera without problems on 4fps.

2) If I connect to the camera through ipsec, so I point my browser to
"http://192.168.0.61:80" the bandwith usage goes up to 100 KB/s
(according to iptraf on fw2) and the connection is so slow that I can't
watch it (it takes forever to load 1 frame).

Here's the tcpdump trace from 2) :

08:54:21.306132 192.168.0.1 > 192.168.0.61: icmp: 192.168.15.11
unreachable - need to frag [tos 0xc0]
08:54:21.306220 192.168.0.61.http > 192.168.15.11.33375: P 113:129(16)
ack 414 win 16368 <nop,nop,timestamp 1909429 241090> (DF)
08:54:21.306260 192.168.0.1 > 192.168.0.61: icmp: 192.168.15.11
unreachable - need to frag [tos 0xc0]
08:54:21.310423 192.168.15.11.33375 > 192.168.0.61.http: . ack 65 win
5840 <nop,nop,timestamp 241090 1909425>
08:54:21.310909 192.168.0.61.http > 192.168.15.11.33375: P 129:145(16)
ack 414 win 16368 <nop,nop,timestamp 1909430 241090> (DF)
08:54:21.310926 192.168.0.1 > 192.168.0.61: icmp: 192.168.15.11
unreachable - need to frag [tos 0xc0]
08:54:21.310999 192.168.0.61.http > 192.168.15.11.33375: P 145:161(16)
ack 414 win 16368 <nop,nop,timestamp 1909430 241090> (DF)
08:54:21.311016 192.168.0.1 > 192.168.0.61: icmp: 192.168.15.11
unreachable - need to frag [tos 0xc0]
08:54:21.331353 192.168.15.11.33375 > 192.168.0.61.http: . ack 81 win
5840 <nop,nop,timestamp 241092 1909427>
08:54:21.331795 192.168.0.61.http > 192.168.15.11.33375: P 161:177(16)
ack 414 win 16368 <nop,nop,timestamp 1909432 241092> (DF)

So I guess it has something to do with the fragmentation. I have tried
to put "overridemtu=1492", "overridemtu=500", "overridemtu=1500", ... in
the ipsec.conf on fw2, but with no luck. I have tried to upgrade fw2 to
openswan 2.4.2rc1, but the problem still exists.

I have the same situation on another location except that there fw2 is
connected to the internet through a CABLE modem. I have no problems on
that location.

I have attached the ipsec.conf and ifconfig from fw2. Please let me know
if you need any more information...

- --
Thanks in advice and have a nice day,

	Andrej.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFDdGSxVd/NU2yFfAoRArqxAKC87q5OoKsw3Slkq2Me04vaVWiRAQCfSLbi
dM6Zxyd730ZQGfEKGMdYGDo=
=jgJv
-----END PGP SIGNATURE-----
-------------- next part --------------
eth0      Link encap:Ethernet  HWaddr 00:14:C2:3B:12:3D
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:224521 errors:0 dropped:0 overruns:0 frame:3
          TX packets:253645 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:85704707 (81.7 Mb)  TX bytes:139389934 (132.9 Mb)
          Interrupt:3
                                                                                                                               
eth1      Link encap:Ethernet  HWaddr 00:0D:88:FC:F3:14
          inet addr:192.168.0.1  Bcast:192.168.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:227164 errors:0 dropped:0 overruns:0 frame:0
          TX packets:268401 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:117302635 (111.8 Mb)  TX bytes:83677339 (79.8 Mb)
          Interrupt:5 Base address:0x5000
                                                                                                                               
ipsec0    Link encap:Point-to-Point Protocol
          inet addr:193.95.248.223  Mask:255.255.255.255
          UP RUNNING NOARP  MTU:16260  Metric:1
          RX packets:143432 errors:0 dropped:3 overruns:0 frame:0
          TX packets:158204 errors:162 dropped:36 overruns:0 carrier:162
          collisions:0 txqueuelen:10
          RX bytes:5360985 (5.1 Mb)  TX bytes:32872880 (31.3 Mb)
                                                                                                                               
lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:166019 errors:0 dropped:0 overruns:0 frame:0
          TX packets:166019 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:47939094 (45.7 Mb)  TX bytes:47939094 (45.7 Mb)
                                                                                                                               
ppp0      Link encap:Point-to-Point Protocol
          inet addr:193.95.248.223  P-t-P:213.250.19.90 Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1492  Metric:1
          RX packets:155243 errors:0 dropped:0 overruns:0 frame:0
          TX packets:161346 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3
          RX bytes:73021406 (69.6 Mb)  TX bytes:65191081 (62.1 Mb)
 
-------------- next part --------------
version 2.0

# Basic configuration
config setup
	interfaces="ipsec0=ppp0"
	klipsdebug=none
	plutodebug=none
	uniqueids=yes
	nat_traversal=yes
	virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.0.0/24
#	overridemtu=1476


conn %default
	keyingtries=1
	disablearrivalcheck=no
	authby=rsasig
	leftrsasigkey=%cert
	rightrsasigkey=%cert
	pfs=no

# Disable Opportunistic Encryption
conn block
	auto=ignore

conn private
	auto=ignore

conn private-or-clear
	auto=ignore

conn clear-or-private
	auto=ignore

conn clear
	auto=ignore

conn packetdefault
	auto=ignore


# RoadWarior setup (MS Windows 2000/XP clients)
# - client can connect if he is behind NAT
# - client can connect if has direct connection to internet (public IP ; *no* NAT)
# - client can connect from anywhere as long as he has the right certificate, username and password
conn roadwarior-l2tpd
	left=193.95.248.223
	leftprotoport=17/1701
	leftcert=fw.vogel.si.pem
	right=%any
	rightprotoport=17/1701
	rightca="C=SI, ST=Slovenija, L=Maribor, O=Rikom d.o.o., CN=Rikom Root Certificate, Email=admin at rikom.si"
	rightsubnet=vhost:%no,%priv
	dpdaction=clear
	auto=add


# Static tunnel setup (NET-to-NET)
# Rikom <-> Vogel (LAN Rikom)
conn rikom-vogel-lan_rikom
        left=193.2.211.10
	leftnexthop=193.2.211.1
        leftsubnet=192.168.15.0/24
        leftcert=rikom.sk-branik.si.pem
        right=193.95.248.223
	rightsubnet=192.168.0.0/24
        rightcert=fw.vogel.si.pem
        auto=start


# Static tunnel setup (NET-to-NET)
# Rikom <-> Vogel (LAN Vzpenjaca)
conn rikom-vogel-lan_vzp
        left=193.2.211.10
        leftnexthop=193.2.211.1
        leftsubnet=192.168.11.0/24
        leftcert=rikom.sk-branik.si.pem
	right=193.95.248.223
	rightsubnet=192.168.0.0/24
	rightcert=fw.vogel.si.pem
	auto=start

More information about the Users mailing list