I've been trying to figure this out for a few days now, but I'm at a loss. Time to ask the experts.
I have two Debian Squeeze boxes that I'm creating a site to site vpn for. Followed this how to: http://wiki.debian.org/IPsec I can ping both sides of the internal interfaces, but pings from one side, have twice the latency of the other side. I'm at a total loss about why this is occurring. Site Office Network: External Interface on eth0: 50.194.128.49/28 Internal Interface on eth1: 172.18.38.1/24 ip route add to 172.18.108.0/24 via 50.194.128.49 src 172.18.38.1 Site Branch Network: External Interface on eth0: 71.33.229.33/28 Internal Interface on eth1: 172.18.108.1/24 ip route add to 172.18.38.0/24 via 71.33.229.33 src 172.18.108.1 Site Office /etc/racoon/racoon.conf: path pre_shared_key "/etc/racoon/psk.txt"; path certificate "/etc/racoon/certs"; remote 71.33.229.33 { exchange_mode main,aggressive; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 2; } } sainfo address 172.18.38.0/24 any address 172.18.108.0/24 any { pfs_group 2; lifetime time 1 hour ; encryption_algorithm 3des, blowfish 448, rijndael ; authentication_algorithm hmac_sha1, hmac_md5 ; compression_algorithm deflate ; } Site Branch /etc/racoon/racoon.conf: path pre_shared_key "/etc/racoon/psk.txt"; path certificate "/etc/racoon/certs"; remote 50.194.128.49 { exchange_mode main,aggressive; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 2; } } sainfo address 172.18.108.0/24 any address 172.18.38.0/24 any { pfs_group 2; lifetime time 1 hour ; encryption_algorithm 3des, blowfish 448, rijndael ; authentication_algorithm hmac_sha1, hmac_md5 ; compression_algorithm deflate ; } Site Office /etc/ipsec-tools.conf: flush; spdflush; spdadd 172.18.38.0/24 172.18.108.0/24 any -P out ipsec esp/tunnel/50.194.128.49-71.33.229.33/require; spdadd 172.18.108.0/24 172.18.38.0/24 any -P in ipsec esp/tunnel/71.33.229.33-50.194.128.49/require; Site Branch /etc/ipsec-tools.conf: flush; spdflush; spdadd 172.18.108.0/24 172.18.38.0/24 any -P out ipsec esp/tunnel/71.33.229.33-50.194.128.49/require; spdadd 172.18.38.0/24 172.18.108.0/24 any -P in ipsec esp/tunnel/50.194.128.49-71.33.229.33/require; Ping from Office to Branch External: ping -c5 -n voipshinn PING voipshinn (71.33.229.33) 56(84) bytes of data. 64 bytes from 71.33.229.33: icmp_req=1 ttl=52 time=70.4 ms 64 bytes from 71.33.229.33: icmp_req=2 ttl=52 time=70.7 ms 64 bytes from 71.33.229.33: icmp_req=3 ttl=52 time=84.5 ms 64 bytes from 71.33.229.33: icmp_req=4 ttl=52 time=70.6 ms 64 bytes from 71.33.229.33: icmp_req=5 ttl=52 time=69.8 ms Ping from Office to Branch Iternal: ping -c5 -n voipshinn-int PING voipshinn-int (172.18.108.1) 56(84) bytes of data. 64 bytes from 172.18.108.1: icmp_req=1 ttl=64 time=84.3 ms 64 bytes from 172.18.108.1: icmp_req=2 ttl=64 time=85.1 ms 64 bytes from 172.18.108.1: icmp_req=3 ttl=64 time=77.8 ms 64 bytes from 172.18.108.1: icmp_req=4 ttl=64 time=78.2 ms 64 bytes from 172.18.108.1: icmp_req=5 ttl=64 time=79.0 ms So about the same latency from the Office to the Branch over the VPN compared to pinging the external interface directly. Ping from Branch to Office External: ping -c5 -n linuxgw PING linuxgw (50.194.128.49) 56(84) bytes of data. 64 bytes from 50.194.128.49: icmp_req=1 ttl=51 time=70.9 ms 64 bytes from 50.194.128.49: icmp_req=2 ttl=51 time=71.6 ms 64 bytes from 50.194.128.49: icmp_req=3 ttl=51 time=70.4 ms 64 bytes from 50.194.128.49: icmp_req=4 ttl=51 time=70.2 ms 64 bytes from 50.194.128.49: icmp_req=5 ttl=51 time=69.4 ms Ping from Branch to Office Internal: ping -c5 -n linuxgw-int PING linuxgw-int (172.18.38.1) 56(84) bytes of data. 64 bytes from 172.18.38.1: icmp_req=1 ttl=64 time=139 ms 64 bytes from 172.18.38.1: icmp_req=2 ttl=64 time=134 ms 64 bytes from 172.18.38.1: icmp_req=3 ttl=64 time=133 ms 64 bytes from 172.18.38.1: icmp_req=4 ttl=64 time=134 ms 64 bytes from 172.18.38.1: icmp_req=5 ttl=64 time=136 ms Pretty much double the latency going over the VPN compared to just pinging the external interface directly. I can find no reason why this is occurring. Anyone have any ideas why this is happening? Chris -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
