curiosity, what is the mtu in the ipsec network? is netkey implemented similarly to ppp, namely that it encapsulates traffic and thus drops below a standard mtu?
On Mon, Dec 9, 2013 at 11:24 AM, Steve Gaarder <[email protected]>wrote: > I run a network of machines running Scientific Linux 6 (a Red Hat > Enterprise clone). We have both AFS and NFS file servers. In an effort to > add some security to NFS, we are using IPSEC. I have discovered that > IPSEC, specifically Red Hat's NETKEY protocol stack, sends OpenAFS > performance through the floor. To try this on an SL/RHEL/Centos box, > install Openswan and set it up on an OpenAFS server and client according to > these instructions: > > https://access.redhat.com/site/documentation/en-US/Red_ > Hat_Enterprise_Linux/6/html/Security_Guide/Host-To-Host_ > VPN_Using_Openswan.html > > Then try copying a large file from AFS to the client's local storage, e.g. > with rsync --progress. You will see performance steadily drop to miserable > levels. > > If you switch the client to the KLIPS stack (by using the kernel module > that comes with the Openswan source), things run fine. It does not seem to > matter which stack is on the server. > > Any ideas about what is going on? > > thanks, > > Steve Gaarder > System Administrator, Dept of Mathematics > Cornell University, Ithaca, NY, USA > [email protected] > _______________________________________________ > OpenAFS-info mailing list > [email protected] > https://lists.openafs.org/mailman/listinfo/openafs-info > > -- Derrick
