[Openswan Users] Speed issues and MTU settings

Mark van Proctor m.vanproctor at metech.com.au
Mon May 29 15:32:57 CEST 2006

Hi all,
I emailed a while back asking for help with speed / mtu issues and never
really got any response.
I have the following scenario:
computer A <-- CAT 5 --> gateway A <-- E1 (2Mbps/2Mbps) -> INTERNET <- DSL
(512kbps/512kbps) -> DSL Modem <- CAT 5 -> gateway B <-- CAT 5 --> computer

Gateway A is RHEL 4 running Openswan 2.4.0 + NETKEY (26sec)
Gateway B is RHEL 3 running Racoon + NETKEY (26sec)

Having done some speed tests using sftp for transferring an 87 MB file, I
have ascertained the following:

Computer A <--> Gateway B (through the VPN): 47.37 kB/s
# To me this means that there is no issue with the VPN or line speed
Computer A <--> Computer B (through the VPN): 25.83 kB/s
# To me this means there is some issue with the routing occurring on gateway
B, most likely fragmentation of packets
Gateway A <--> Computer B (NOT through the VPN): 27.45 kB/s
# This issue is not limited to VPN traffic...

So I performed the following tasks:

Now, being that gateway B is connected via a DSL modem, I dropped the
external interface on gateway B (the one connected to the DSL modem) to an
MTU of 1492. I'm not 100% sure if this is necessary as the Computer A <-->
Gateway B did not suffer speed issues...

Seeing as ALL data is apparently being fragmented, I dropped the internal
interface on gateway B (the one connected to computer B) to an MTU of 1400.
I'm not 100% sure if this is the best value, I just picked it randomly.

I figured that VPN traffic will add something to it so limited the ip route
that the vpn established to 1444. Again, not 100% sure if this is the best
value, I just picked it randomly.

So this gave me the following statistics:
Computer A <--> Computer B (through the VPN): 45.72 kB/s
# Woohoo, fixed!!

So, I guess this is a 2-fold email. Firstly, anyone else having speed issues
(I was running at 50% capacity as you can see above), try this! Secondly,
can anyone help me with optimising these MTU numbers? Other than me having
to run this speed test (takes between 30 mins and 1 hour, depending on
whether I get fragmented)? Alternatively, is there some *faster* way of
determining if my packets are being fragmented?

I guess what I would like to know is:

What MTU values should I have for my internal interface, my vpn route and my
external interface to optimise the throughput?

Please note that this is in a production environment so I am not keen on
having to stop / start the vpn consistently to test.

Thanks in advance,


Mark van Proctor
Metech Pty Ltd

This email (including all attachments) is the sole property of Metech Pty Ltd
and may be confidential. If you are not the intended recipient, you must not
use or forward the information contained in it. This message may not be
reproduced or otherwise republished without the written consent of the sender.
If you have received this message in error, please delete the email and notify
the sender.

More information about the Users mailing list