[Swan] subnet to subnet IPv6 very slow

Paul Wouters paul at nohats.ca
Sat Nov 14 04:03:50 UTC 2015 

You can try esp=aes_gcm128-null which is the fastest good crypto algo to use but I'm not sure if that is your real problem 

Sent from my iPhone

> On Nov 14, 2015, at 06:04, James Fromm <fromm at omnis.com> wrote:
> 
> Hello,
> 
> I am trying to deploy an IPv4 ipsec tunnel to carry IPv6 between our
> main location and a server we rent in Canada running as a KVM host with
> two virtual machines.  We have IPv6 fully deployed in both locations so
> the purpose is only to secure the communication.
> 
> Traffic from a virtual machine routed to the VM host/ipsec router then
> through the tunnel is VERY slow.  Measured with nuttcp traffic through
> the tunnel averages less than 200 Kb/sec while traffic outside the
> tunnel averages 91 Mb.  Traffic from the host directly averages 79 Mb
> through tunnel.
> 
> Wireshark shows a high percentage of TCP retransmissions for the slow
> transfer.  Neither router shows any load.
> 
> The setup looks like this:
> 
> "LAN A" <--> "ipsec router A" <--> "ipsec router B (and VM host)" <-->
> "VM instances"
> 
> On ipsec router A I have:
> 
>    conn hac-vmh1-v6subnet
>        also=tev-ipsec-TO-hac-vmh1
>        connaddrfamily=ipv6
>        leftsubnet=2607:fe90:1::/64
>        rightsubnet=2607:fe90:8002:1::/64
>        auto=start
>    conn tev-ipsec-TO-hac-vmh1
>        leftid=@tev-ipsec
>        left=216.239.131.43
>        leftrsasigkey=....
>        rightid=@hac-vmh1
>        right=74.82.222.90
>        rightrsasigkey=....
>        authby=rsasig
> 
> On ipsec router B I have:
> 
>    conn hac-vmh1-v6subnet
>        also=tev-ipsec-TO-hac-vmh1
>        connaddrfamily=ipv6
>        leftsubnet=2607:fe90:1::/64
>        rightsubnet=2607:fe90:8002:1::/64
>        auto=start
>    conn tev-ipsec-TO-hac-vmh1
>        leftid=@tev-ipsec
>        left=216.239.131.43
>        leftrsasigkey=....
>        rightid=@hac-vmh1
>        right=74.82.222.90
>        rightrsasigkey=....
>        authby=rsasig
> 
> On the VM instances, I put a route to source the traffic from the
> 2607:fe90:8002:1::/64 subnet.
> 
> To rule out the internal switching in the host for the virtual machines,
> I installed another server on the same VLAN with 'ipsec router B' as its
> gateway.  It too is almost unusable through the tunnel.
> 
> I have tried all recommendations to adjust MTU with no affect.
> 
> All systems run CentOS 7 with libreswan 3.15.  Everything on 'ipsec
> verify' is in the green.  Is there another setting needed when the
> libreswan server is used as the gateway for other systems?  Is there a
> known issue with subnet to subnet tunnels?
> 
> Thank you in advance for any assistance.
> 
> Thanks,
> James
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan

More information about the Swan mailing list