[Openswan Users] OpenSWAN transfer slowing down

Piotr Dzionek piotr.dzionek at intercon.pl
Fri Feb 15 10:01:08 EST 2013


Hi,
I have a problem with slowing down transfers over IPsec tunnel. I have
two servers with Debian 6 and Openswan 2.6.28+dfsg-5+squeeze1. Normal
transfer speed is sth between 50-70MB/s between them. However when i use
IPsec tunnel it starts with something like 20MB/s and slows down to sth
like 1-1.5MB/s just after a minute or two. Moreover server load goes
really up(not max). I have two quite powerful xeon servers with aes-ni
support and aesni_intel modules loaded. My config is:

1. First server/

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Do not set debug options to debug configuration issues!
        # plutodebug / klipsdebug = "all", "none" or a combation from below:
        # "raw crypt parsing emitting control klips pfkey natt x509 dpd
private"
        # eg:
        # plutodebug="control parsing"
        #
        # enable to get logs per-peer
        # plutoopts="--perpeerlog"
        #
        # Again: only enable plutodebug or klipsdebug when asked by a
developer
        #
        # NAT-TRAVERSAL support, see README.NAT-Traversal
        nat_traversal=yes
        # exclude networks used on server side by adding %v4:!a.b.c.0/24
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
        # OE is now off by default. Uncomment and change to on, to enable.
        oe=off
        # which IPsec stack to use. auto will try netkey, then klips
then mast
        protostack=auto/

/conn vm-prod1
        auto=       start
        authby=     secret
        left=       ****************
        leftsubnet= 192.168.10.2/32
        right=      ******************
        rightsubnet=    192.168.10.1/32
        #Phase 1
        keyexchange=    ike
        rekey=          yes
        ike=            aes256-sha1-modp1024
        ikelifetime=    1440m
        #Phase 2
        type=           tunnel
        auth=           esp
        esp=            aes256-sha1
        pfs=            no
        compress=       no
        keylife=        21600s

/2. Second server/
............................
conn vm-prod2
        auto=       start
        authby=     secret
        left=       ****************
        leftsubnet= 192.168.10.1/32
        right=      ********************
        rightsubnet=    192.168.10.2/32
        #Phase 1
        keyexchange=    ike
        rekey=          yes
        ike=            aes256-sha1-modp1024
        ikelifetime=    1440m
        #Phase 2
        type=           tunnel
        auth=           esp
        esp=            aes256-sha1
        pfs=            no
        compress=       no
        keylife=        21600s/

What could cause this kind of problem? or maybe this should work that
way ? Normal scp transfer works very good so i dont really know what is
wrong.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20130215/89df67cb/attachment.html>


More information about the Users mailing list