[Swan] subnet to subnet IPv6 very slow

James Fromm fromm at omnis.com
Fri Nov 13 21:04:26 UTC 2015


Hello,

I am trying to deploy an IPv4 ipsec tunnel to carry IPv6 between our
main location and a server we rent in Canada running as a KVM host with
two virtual machines.  We have IPv6 fully deployed in both locations so
the purpose is only to secure the communication.

Traffic from a virtual machine routed to the VM host/ipsec router then
through the tunnel is VERY slow.  Measured with nuttcp traffic through
the tunnel averages less than 200 Kb/sec while traffic outside the
tunnel averages 91 Mb.  Traffic from the host directly averages 79 Mb
through tunnel.

Wireshark shows a high percentage of TCP retransmissions for the slow
transfer.  Neither router shows any load.

The setup looks like this:

"LAN A" <--> "ipsec router A" <--> "ipsec router B (and VM host)" <-->
"VM instances"

On ipsec router A I have:

	conn hac-vmh1-v6subnet
		also=tev-ipsec-TO-hac-vmh1
		connaddrfamily=ipv6
		leftsubnet=2607:fe90:1::/64
		rightsubnet=2607:fe90:8002:1::/64
		auto=start
	conn tev-ipsec-TO-hac-vmh1
		leftid=@tev-ipsec
		left=216.239.131.43
		leftrsasigkey=....
		rightid=@hac-vmh1
		right=74.82.222.90
		rightrsasigkey=....
		authby=rsasig

On ipsec router B I have:

	conn hac-vmh1-v6subnet
		also=tev-ipsec-TO-hac-vmh1
		connaddrfamily=ipv6
		leftsubnet=2607:fe90:1::/64
		rightsubnet=2607:fe90:8002:1::/64
		auto=start
	conn tev-ipsec-TO-hac-vmh1
		leftid=@tev-ipsec
		left=216.239.131.43
		leftrsasigkey=....
		rightid=@hac-vmh1
		right=74.82.222.90
		rightrsasigkey=....
		authby=rsasig

On the VM instances, I put a route to source the traffic from the
2607:fe90:8002:1::/64 subnet.

To rule out the internal switching in the host for the virtual machines,
I installed another server on the same VLAN with 'ipsec router B' as its
gateway.  It too is almost unusable through the tunnel.

I have tried all recommendations to adjust MTU with no affect.

All systems run CentOS 7 with libreswan 3.15.  Everything on 'ipsec
verify' is in the green.  Is there another setting needed when the
libreswan server is used as the gateway for other systems?  Is there a
known issue with subnet to subnet tunnels?

Thank you in advance for any assistance.

Thanks,
James


More information about the Swan mailing list