[Swan] Poor OpenSwan IPsec Performance
Paul Wouters
pwouters at redhat.com
Thu Aug 15 23:36:55 EEST 2013
On 08/15/2013 02:40 PM, dave at ariens.ca wrote:
> It can't be a CPU bottleneck issue if I can initiate a 2nd transfer on a 2nd tunnel and both concurrent copies run at the same dismal speed.
>
> This is pure site-to-site Openswan to Openswan, surely I must not be the first to have this problem... I'm fairly confident it's a PMTU/MSS/fragmentation
> problem as a result of the IPsec packet overhead, I just don't know where else to look...
Then try:
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
or:
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1460
More information about the Swan
mailing list