> > greetings
> >
> > i have a working bering 2.4.18 FreeS/WAN 1.98b tunnel working nicely
> > between a hub and a few remotes working
> >
> > now i am tring to replace the hub, becouse we want to use openvpn for some
> > roaming clients.
> >
> > so i replace the 1 Ghz 128MB machine at the hub with a 2.4Ghz 256MB one
> > with bering uclibc 2.4.32 and openswan 2.4.4, much more powerfull
> > hardware.
> >
> > all the tunnels comes back as expected and traffic flows. problem is that
> > the speed drops by ~half, and the previous usable link becomes almost
> > unusable for the applications.
> >
> > is there any workaround for this ? is it becouse of the uclibc and it's
> > size before performance ? or may it be the kernels fault ?
> >
> > basicaly what im asking is should i use bering instead of bering uclibc,
> > or would a custom kernel solve my issues ?
> >
> >
> >
> > --
> > Ronny Aasen <[EMAIL PROTECTED]>
> >
> Hello Ronny,
>
> This has nothing todo with "uclibc and it's size before performance" but
> it's probably a configuration issue either in shorewall or openswan.
>
> Do you see any strange messages in your logs or in the output of
> "shorewall hits"?
>
> Eric
thank you for the switft reply.
freeswan is the old bering 2.4.18 box, openswan is the new bering uclibc
2.4.32 box
i am testing with iperf:
freeswan to freeswan see 7-8 Mbits/sec that's close to max available
across the remote wireless link.
freeswan to openswan i see 3-4 Mbits/sec about half of what i expected.
i see nothing out of the ordinary in var/logs/*. shorewall hits shows
nothing that's from any of the internal networks or my public ip's. only
hits i see are from the background noise of the net.
my auth.log on the new openswan contains
Jun 27 06:14:55 ServNetgw pluto[305]: "PgptoServ" #26: STATE_MAIN_R2:
sent MR2, expecting MI3
Jun 27 06:14:55 ServNetgw pluto[305]: "PgptoServ" #26: Main mode peer ID
is ID_IPV4_ADDR: '217.17.211.148'
Jun 27 06:14:55 ServNetgw pluto[305]: "PgptoServ" #26: I did not send a
certificate because I do not have one.
Jun 27 06:14:55 ServNetgw pluto[305]: "PgptoServ" #26: transition from
state STATE_MAIN_R2 to state STATE_MAIN_R3
Jun 27 06:14:55 ServNetgw pluto[305]: "PgptoServ" #26: STATE_MAIN_R3:
sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1536}
Jun 27 06:14:55 ServNetgw pluto[305]: "PgptoServ" #27: responding to
Quick Mode {msgid:1387871e}
Jun 27 06:14:55 ServNetgw pluto[305]: "PgptoServ" #27: transition from
state STATE_QUICK_R0 to state STATE_QUICK_R1
Jun 27 06:14:55 ServNetgw pluto[305]: "PgptoServ" #27: STATE_QUICK_R1:
sent QR1, inbound IPsec SA installed, expecting QI2
Jun 27 06:14:56 ServNetgw pluto[305]: "PgptoServ" #27: transition from
state STATE_QUICK_R1 to state STATE_QUICK_R2
Jun 27 06:14:56 ServNetgw pluto[305]: "PgptoServ" #27: STATE_QUICK_R2:
IPsec SA established {ESP=>0xd9a690e6 <0x85deba70 xfrm=3DES_0-HMAC_MD5
NATD=none DPD=none}
the freeswan box:
Jun 26 18:04:28 pgpGw pluto[20193]: "pgp-to-test" #3: initiating Main
Mode
Jun 26 18:04:28 pgpGw pluto[20193]: "pgp-to-test" #3: ignoring Vendor ID
payload
Jun 26 18:04:28 pgpGw pluto[20193]: "pgp-to-test" #3: ignoring Vendor ID
payload
Jun 26 18:04:28 pgpGw pluto[20193]: "pgp-to-test" #3: Peer ID is
ID_IPV4_ADDR: '217.17.211.4'
Jun 26 18:04:28 pgpGw pluto[20193]: "pgp-to-test" #3: ISAKMP SA
established
Jun 26 18:04:28 pgpGw pluto[20193]: "pgp-to-test" #4: initiating Quick
Mode PSK+ENCRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK
Jun 26 18:04:28 pgpGw pluto[20193]: "pgp-to-test" #4: sent QI2, IPsec SA
established
i read this as "works as expected",
in shorewall zones i did
ipsec ipv4
i did _NOT_ do
ipsec ipsec
Since that gave me a error about policy match support in the kernel.
could this couse the slowdown ?
i configured the ipsec endpoints in tunnels as normal.
ipsec net 217.17.211.144
here is my freeswan config
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
uniqueids=yes
conn pgp-to-test
left=217.17.211.148
leftsubnet=10.0.1.0/24
leftnexthop=217.17.211.129
right=217.17.211.4
rightsubnet=10.0.10.0/24
rightnexthop=217.17.211.1
auto=start
authby=secret
and my openswan config
version 2.0
config setup
plutodebug=none
klipsdebug=none
conn Pgp-to-test
left=217.17.211.148
leftsubnet=10.0.1.0/24
leftnexthop=217.17.211.129
right=217.17.211.4
rightsubnet=10.0.10.0/24
rightnexthop=217.17.211.1
auto=start
authby=secret
same config (- version 2.0) works fine in a freeswan to freeswan setup.
hope someone have a clue to what's cousing this.
thanks
--
Ronny Aasen <[EMAIL PROTECTED]>
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
------------------------------------------------------------------------
leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/
