Hi shorewall users, we are running a shorewall-based firewall with several IPSec (ESP) tunnels. The remote endpoints (mostly cisco based) require us to SNAT the IP addresses coming from our LAN to ONE single IP.
Since we switched to a shorewall setup the performance on the tunnels has
dropped massively.
Everthing works fine for simple connections (ssh, etc), but if we transfer
bigger volumes of data the connection speed drops very fast from about
8 MB/s to 400 KB/s (sometimes less) and other non-ipsec traffic slows downs
also.
When this happens, the load in "software interupts (%si in top)" rises until
most packets (non-IPSec traffic) get dropped. The machine has a quad-core
XEON CPU, so crypto performance is not the issue here.
For testing purposes we duplicated the tunnel config but WITHOUT SNAT
and we can transfer IPSec traffic at 10MB/s constantly, without any harm
on the machine or the other traffic.
We believe, we have some mistake in the NAT setup.
("shorewall dump" output attached, but we replaced the IP-addresses)
The non-IPSec traffic is also SNAT'ted but we cannot see any performance
problems there. We can saturate the link with 12MB/s without problems,
which is the maximum for our connection.
The Software Setup:
- Linux 2.6.32
- OpenSWAN (with netkey)
- shorewall 4.4.11 (Debian)
cleaned output of shorewall dump attached
Network Setup:
LAN (10.66.1.0/24)
+
|
+ (eth2:10.66.1.1)
fw (shorewall)
++ (eth0:1.1.1.1)
||
|| (IPSec Tunnel)
++
remoteGW (2.2.2.2)
+
|
|
+
remoteLAN (192.168.1.0/24)
Packet Flow:
10.66.1.2 -> 10.66.1.1 -> SNAT to 192.168.82.8
-> IPSEC-policy-routing -> remoteGW -> remoteLAN
Everything works! We can reach the remote servers.
The relevant parts of the config:
$IPSEC_MASQ_DEST is a list of IPs that are behind the tunnel and therefore
have to have changed their source-IP.
fw:/etc/shorewall# cat hosts
#zone hosts options
vpn eth0:192.168.1.0/24 ipsec
fw:/etc/shorewall# cat masq
#INTERFACE SOURCE ADDRESS PROTO PORT(S)
IPSEC MARK
eth0:$IPSEC_MASQ_DEST eth2 192.168.82.8 - -
-
# everything else to our external IP
eth0 10.66.1.0/24 1.1.1.1
fw:/etc/shorewall# cat zones
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4
loc ipv4
vpn ipsec mode=tunnel mss=1400
fw:/etc/shorewall# cat interfaces
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect
tcpflags,nosmurfs,logmartians,routefilter
loc eth2 detect tcpflags,dhcp,nosmurfs,routefilter
OpenSWAN CONFIG:
conn fw-test
pfs=yes
auth=esp
esp=aes128-sha1
keyexchange=ike
type=tunnel
authby=secret
left=10.31.1.1
leftsubnet=192.168.1.0/24
right=1.1.1.1
rightsubnet=192.168.82.8/32
auto=add
Any ideas?
Best regards,
Joerg
shorewall_dump_cleaned.bz2
Description: Binary data
------------------------------------------------------------------------------ Download new Adobe(R) Flash(R) Builder(TM) 4 The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly Flex(R) Builder(TM)) enable the development of rich applications that run across multiple browsers and platforms. Download your free trials today! http://p.sf.net/sfu/adobe-dev2dev
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
