[Openswan Users] OpenSWAN transfer slowing down

Patrick Naubert patrickn at xelerance.com
Fri Feb 15 07:47:16 EST 2013 

Rescued from the Spam bucket.  Please remember to subscribe to the mailing list before posting to it.

From: Piotr Dzionek <piotr.dzionek at interconsystems.pl>
Subject: OpenSWAN transfer slowing down
Date: 15 February, 2013 6:22:43 AM EST
To: users at lists.openswan.org


Hi,
I have a problem with slowing down transfers over IPsec tunnel. I have two servers with Debian 6 and Openswan 2.6.28+dfsg-5+squeeze1. Normal transfer speed is sth between 50-70MB/s between them. However when i use IPsec tunnel it starts with something like 20MB/s and slows down to sth like 1-1.5MB/s just after a minute or two. Moreover server load goes really up(not max). I have two quite powerful xeon servers with aes-ni support and aesni_intel modules loaded. My config is:

1. First server

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Do not set debug options to debug configuration issues!
        # plutodebug / klipsdebug = "all", "none" or a combation from below:
        # "raw crypt parsing emitting control klips pfkey natt x509 dpd private"
        # eg:
        # plutodebug="control parsing"
        #
        # enable to get logs per-peer
        # plutoopts="--perpeerlog"
        #
        # Again: only enable plutodebug or klipsdebug when asked by a developer
        #
        # NAT-TRAVERSAL support, see README.NAT-Traversal
        nat_traversal=yes
        # exclude networks used on server side by adding %v4:!a.b.c.0/24
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
        # OE is now off by default. Uncomment and change to on, to enable.
        oe=off
        # which IPsec stack to use. auto will try netkey, then klips then mast
        protostack=auto

conn vm-prod1
        auto=       start
        authby=     secret
        left=       ****************
        leftsubnet= 192.168.10.2/32
        right=      ******************
        rightsubnet=    192.168.10.1/32
        #Phase 1
        keyexchange=    ike
        rekey=          yes
        ike=            aes256-sha1-modp1024
        ikelifetime=    1440m
        #Phase 2
        type=           tunnel
        auth=           esp
        esp=            aes256-sha1
        pfs=            no
        compress=       no
        keylife=        21600s

2. Second server
............................
conn vm-prod2
        auto=       start
        authby=     secret
        left=       ****************
        leftsubnet= 192.168.10.1/32
        right=      ********************
        rightsubnet=    192.168.10.2/32
        #Phase 1
        keyexchange=    ike
        rekey=          yes
        ike=            aes256-sha1-modp1024
        ikelifetime=    1440m
        #Phase 2
        type=           tunnel
        auth=           esp
        esp=            aes256-sha1
        pfs=            no
        compress=       no
        keylife=        21600s

What could cause this kind of problem? or maybe this should work that way ? Normal scp transfer works very good so i dont really know what is wrong.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20130215/91442078/attachment.html>

More information about the Users mailing list