[Openswan Users] OpenSWAN transfer slowing down
Piotr Dzionek
piotr.dzionek at intercon.pl
Mon Feb 18 02:44:28 EST 2013
Your question made me realize that i was using netkey stack. I
downloaded KLIPS module source and compiled it. Now ipsec starts with
it. Tunnel gets established, but i cannot ping anymore. ICMP packets
just try to go normal way. They are not geting encapsulted in ESP
headers and are dropped by default gw. I did not change any
configuration. Should i configure anything else?
My other question is how KLIPS is better than NETKEY?
W dniu 15.02.2013 18:38, Leto pisze:
> what stack are you using? klips has seen speed gains since that version
>
> also check nic cards, disable hw offloading, etc
>
> On the road...
>
> On 2013-02-15, at 10:01, Piotr Dzionek <piotr.dzionek at intercon.pl
> <mailto:piotr.dzionek at intercon.pl>> wrote:
>
>> Hi,
>> I have a problem with slowing down transfers over IPsec tunnel. I
>> have two servers with Debian 6 and Openswan 2.6.28+dfsg-5+squeeze1.
>> Normal transfer speed is sth between 50-70MB/s between them. However
>> when i use IPsec tunnel it starts with something like 20MB/s and
>> slows down to sth like 1-1.5MB/s just after a minute or two. Moreover
>> server load goes really up(not max). I have two quite powerful xeon
>> servers with aes-ni support and aesni_intel modules loaded. My config is:
>>
>> 1. First server/
>>
>> version 2.0 # conforms to second version of ipsec.conf specification
>>
>> # basic configuration
>> config setup
>> # Do not set debug options to debug configuration issues!
>> # plutodebug / klipsdebug = "all", "none" or a combation from
>> below:
>> # "raw crypt parsing emitting control klips pfkey natt x509
>> dpd private"
>> # eg:
>> # plutodebug="control parsing"
>> #
>> # enable to get logs per-peer
>> # plutoopts="--perpeerlog"
>> #
>> # Again: only enable plutodebug or klipsdebug when asked by a
>> developer
>> #
>> # NAT-TRAVERSAL support, see README.NAT-Traversal
>> nat_traversal=yes
>> # exclude networks used on server side by adding %v4:!a.b.c.0/24
>>
>> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
>> # OE is now off by default. Uncomment and change to on, to
>> enable.
>> oe=off
>> # which IPsec stack to use. auto will try netkey, then klips
>> then mast
>> protostack=auto/
>>
>> /conn vm-prod1
>> auto= start
>> authby= secret
>> left= ****************
>> leftsubnet= 192.168.10.2/32
>> right= ******************
>> rightsubnet= 192.168.10.1/32
>> #Phase 1
>> keyexchange= ike
>> rekey= yes
>> ike= aes256-sha1-modp1024
>> ikelifetime= 1440m
>> #Phase 2
>> type= tunnel
>> auth= esp
>> esp= aes256-sha1
>> pfs= no
>> compress= no
>> keylife= 21600s
>>
>> /2. Second server/
>> ............................
>> conn vm-prod2
>> auto= start
>> authby= secret
>> left= ****************
>> leftsubnet= 192.168.10.1/32
>> right= ********************
>> rightsubnet= 192.168.10.2/32
>> #Phase 1
>> keyexchange= ike
>> rekey= yes
>> ike= aes256-sha1-modp1024
>> ikelifetime= 1440m
>> #Phase 2
>> type= tunnel
>> auth= esp
>> esp= aes256-sha1
>> pfs= no
>> compress= no
>> keylife= 21600s/
>>
>> What could cause this kind of problem? or maybe this should work that
>> way ? Normal scp transfer works very good so i dont really know what
>> is wrong.
>>
>> _______________________________________________
>> Users at lists.openswan.org <mailto:Users at lists.openswan.org>
>> https://lists.openswan.org/mailman/listinfo/users
>> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>> Building and Integrating Virtual Private Networks with Openswan:
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20130218/2e7de480/attachment.html>
More information about the Users
mailing list