[Swan] subnet to subnet IPv6 very slow
Paul Wouters
paul at nohats.ca
Sat Nov 14 04:03:50 UTC 2015
You can try esp=aes_gcm128-null which is the fastest good crypto algo to use but I'm not sure if that is your real problem
Sent from my iPhone
> On Nov 14, 2015, at 06:04, James Fromm <fromm at omnis.com> wrote:
>
> Hello,
>
> I am trying to deploy an IPv4 ipsec tunnel to carry IPv6 between our
> main location and a server we rent in Canada running as a KVM host with
> two virtual machines. We have IPv6 fully deployed in both locations so
> the purpose is only to secure the communication.
>
> Traffic from a virtual machine routed to the VM host/ipsec router then
> through the tunnel is VERY slow. Measured with nuttcp traffic through
> the tunnel averages less than 200 Kb/sec while traffic outside the
> tunnel averages 91 Mb. Traffic from the host directly averages 79 Mb
> through tunnel.
>
> Wireshark shows a high percentage of TCP retransmissions for the slow
> transfer. Neither router shows any load.
>
> The setup looks like this:
>
> "LAN A" <--> "ipsec router A" <--> "ipsec router B (and VM host)" <-->
> "VM instances"
>
> On ipsec router A I have:
>
> conn hac-vmh1-v6subnet
> also=tev-ipsec-TO-hac-vmh1
> connaddrfamily=ipv6
> leftsubnet=2607:fe90:1::/64
> rightsubnet=2607:fe90:8002:1::/64
> auto=start
> conn tev-ipsec-TO-hac-vmh1
> leftid=@tev-ipsec
> left=216.239.131.43
> leftrsasigkey=....
> rightid=@hac-vmh1
> right=74.82.222.90
> rightrsasigkey=....
> authby=rsasig
>
> On ipsec router B I have:
>
> conn hac-vmh1-v6subnet
> also=tev-ipsec-TO-hac-vmh1
> connaddrfamily=ipv6
> leftsubnet=2607:fe90:1::/64
> rightsubnet=2607:fe90:8002:1::/64
> auto=start
> conn tev-ipsec-TO-hac-vmh1
> leftid=@tev-ipsec
> left=216.239.131.43
> leftrsasigkey=....
> rightid=@hac-vmh1
> right=74.82.222.90
> rightrsasigkey=....
> authby=rsasig
>
> On the VM instances, I put a route to source the traffic from the
> 2607:fe90:8002:1::/64 subnet.
>
> To rule out the internal switching in the host for the virtual machines,
> I installed another server on the same VLAN with 'ipsec router B' as its
> gateway. It too is almost unusable through the tunnel.
>
> I have tried all recommendations to adjust MTU with no affect.
>
> All systems run CentOS 7 with libreswan 3.15. Everything on 'ipsec
> verify' is in the green. Is there another setting needed when the
> libreswan server is used as the gateway for other systems? Is there a
> known issue with subnet to subnet tunnels?
>
> Thank you in advance for any assistance.
>
> Thanks,
> James
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
More information about the Swan
mailing list