[Openswan Users] Re: Speed issues and MTU settings
Peter McGill
petermcgill at goco.net
Mon May 29 11:02:38 CEST 2006
> Secondly, can anyone help me with optimising these MTU numbers?
A simple internet search of 'optimal mtu' should bring up several samples.
Here is a link to one:
http://www.mynetwatchman.com/kb/adsl/pppoemtu.htm
Now this one doesn't include the IPSec headers, you would want to adjust for
them as well.
But it should get you started. It shows you how to determine the optimal
setting, using math.
I'm speaking of optimal for speed and low (no) fragmentation.
If this doesn't make any sense to you try reading up on reading raw packets
and how mtu works.
This is a good site for explaining the packet headers, if you already have a
basic understanding of
network layers and packet construction.
http://www.networksorcery.com/enp/topic/ipsuite.htm
Now to account for IPSec, which is actually several protocols, lets focus on
the one transferring most
of your data, probably ESP. Now I'm assuming Openswan uses just ESP at this
point, but it may not,
it would be a good idea to tcpdump some packets to get the actual lengths.
Hmm, it get's complicated from here, ESP has a variable length depending on
data size and encryption.
tcpdump on you public interface would really be good idea, hopefully this
will get you started.
As for restarting in a production environment, I do it all the time (a few
times a week).
The command itself is almost instantaneous, but it may take a second or two
for all the tunnels
to reconnect. I use ipsec restart and my users never notice. (I have 20+
tunnels and 37+ users.)
Peter McGill
Software Developer / Network Administrator
Gra Ham Energy Limited
More information about the Users
mailing list