Re: [Shorewall-users] IPSec + SNAT (bad performance)

Fri, 15 Oct 2010 09:04:47 -0700 

On Fri, Oct 15, 2010 at 07:59:51AM -0700, Tom Eastep wrote:
> On 10/15/10 3:35 AM, Jörg Kurlbaum wrote:
> > Since we switched to a shorewall setup the performance on the tunnels has
> > dropped massively.
> 
> Switched from what?

From a strange hand-written iptables script.

The main difference was, that we had two different routers.
The first was the default route for all clients and marked packets that
should go into the IPSec tunnel and changed the IP with SNAT. All packets
then got forwarded to the "real" firewall. On the firewall marked packets
got routed into the tunnel. But they already had the nessecary IP.
The setup was faulty and not very manageable, that is why I changed to
shorewall. Which works great, but has this tiny problem :-)

> > We believe, we have some mistake in the NAT setup.
> > ("shorewall dump" output attached, but we replaced the IP-addresses)
> > 
> 
> I'm more inclined to suspect an MSS issue.
> 
> 
> > fw:/etc/shorewall# cat zones 
> > #ZONE   TYPE    OPTIONS                 IN                      OUT
> > #                                       OPTIONS                 OPTIONS
> > fw      firewall
> > net     ipv4
> > loc     ipv4
> > vpn     ipsec   mode=tunnel             mss=1400
> > 
> 
> You are only clamping the MSS in one direction. Try moving that setting
> to the OPTIONS column.

Okay, i tried that. The line looks like this now:

vpn     ipsec   mode=tunnel,mss=1400

But i'm sorry to say. No difference.
The interesting part is, if I don't do SNAT on the test-tunnel
performance is very well (like i said in the previous post about 10MB/s).


Any more ideas? Are there other pitfalls with IPSec and Shorewall?


Thanks so far and best regards,
   Jörg



------------------------------------------------------------------------------
Download new Adobe(R) Flash(R) Builder(TM) 4
The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly 
Flex(R) Builder(TM)) enable the development of rich applications that run
across multiple browsers and platforms. Download your free trials today!
http://p.sf.net/sfu/adobe-dev2dev
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to