[Swan] subnet to subnet IPv6 very slow
James Fromm
fromm at omnis.com
Fri Nov 13 21:04:26 UTC 2015
Hello,
I am trying to deploy an IPv4 ipsec tunnel to carry IPv6 between our
main location and a server we rent in Canada running as a KVM host with
two virtual machines. We have IPv6 fully deployed in both locations so
the purpose is only to secure the communication.
Traffic from a virtual machine routed to the VM host/ipsec router then
through the tunnel is VERY slow. Measured with nuttcp traffic through
the tunnel averages less than 200 Kb/sec while traffic outside the
tunnel averages 91 Mb. Traffic from the host directly averages 79 Mb
through tunnel.
Wireshark shows a high percentage of TCP retransmissions for the slow
transfer. Neither router shows any load.
The setup looks like this:
"LAN A" <--> "ipsec router A" <--> "ipsec router B (and VM host)" <-->
"VM instances"
On ipsec router A I have:
conn hac-vmh1-v6subnet
also=tev-ipsec-TO-hac-vmh1
connaddrfamily=ipv6
leftsubnet=2607:fe90:1::/64
rightsubnet=2607:fe90:8002:1::/64
auto=start
conn tev-ipsec-TO-hac-vmh1
leftid=@tev-ipsec
left=216.239.131.43
leftrsasigkey=....
rightid=@hac-vmh1
right=74.82.222.90
rightrsasigkey=....
authby=rsasig
On ipsec router B I have:
conn hac-vmh1-v6subnet
also=tev-ipsec-TO-hac-vmh1
connaddrfamily=ipv6
leftsubnet=2607:fe90:1::/64
rightsubnet=2607:fe90:8002:1::/64
auto=start
conn tev-ipsec-TO-hac-vmh1
leftid=@tev-ipsec
left=216.239.131.43
leftrsasigkey=....
rightid=@hac-vmh1
right=74.82.222.90
rightrsasigkey=....
authby=rsasig
On the VM instances, I put a route to source the traffic from the
2607:fe90:8002:1::/64 subnet.
To rule out the internal switching in the host for the virtual machines,
I installed another server on the same VLAN with 'ipsec router B' as its
gateway. It too is almost unusable through the tunnel.
I have tried all recommendations to adjust MTU with no affect.
All systems run CentOS 7 with libreswan 3.15. Everything on 'ipsec
verify' is in the green. Is there another setting needed when the
libreswan server is used as the gateway for other systems? Is there a
known issue with subnet to subnet tunnels?
Thank you in advance for any assistance.
Thanks,
James
More information about the Swan
mailing list