[Openswan Users] Re: Speed issues and MTU settings

Peter McGill petermcgill at goco.net
Mon May 29 11:02:38 CEST 2006


> Secondly, can anyone help me with optimising these MTU numbers?

A simple internet search of 'optimal mtu' should bring up several samples.
Here is a link to one:
http://www.mynetwatchman.com/kb/adsl/pppoemtu.htm
Now this one doesn't include the IPSec headers, you would want to adjust for 
them as well.
But it should get you started. It shows you how to determine the optimal 
setting, using math.
I'm speaking of optimal for speed and low (no) fragmentation.
If this doesn't make any sense to you try reading up on reading raw packets 
and how mtu works.
This is a good site for explaining the packet headers, if you already have a 
basic understanding of
network layers and packet construction.
http://www.networksorcery.com/enp/topic/ipsuite.htm
Now to account for IPSec, which is actually several protocols, lets focus on 
the one transferring most
of your data, probably ESP. Now I'm assuming Openswan uses just ESP at this 
point, but it may not,
it would be a good idea to tcpdump some packets to get the actual lengths.
Hmm, it get's complicated from here, ESP has a variable length depending on 
data size and encryption.
tcpdump on you public interface would really be good idea, hopefully this 
will get you started.

As for restarting in a production environment, I do it all the time (a few 
times a week).
The command itself is almost instantaneous, but it may take a second or two 
for all the tunnels
to reconnect. I use ipsec restart and my users never notice. (I have 20+ 
tunnels and 37+ users.)


Peter McGill
Software Developer / Network Administrator
Gra Ham Energy Limited 



More information about the Users mailing list