On 10/15/10 8:59 AM, Jörg Kurlbaum wrote:
> On Fri, Oct 15, 2010 at 07:59:51AM -0700, Tom Eastep wrote:
>> On 10/15/10 3:35 AM, Jörg Kurlbaum wrote:
>>> Since we switched to a shorewall setup the performance on the tunnels has
>>> dropped massively.
>>
>> Switched from what?
>
> From a strange hand-written iptables script.
>
> The main difference was, that we had two different routers.
> The first was the default route for all clients and marked packets that
> should go into the IPSec tunnel and changed the IP with SNAT. All packets
> then got forwarded to the "real" firewall. On the firewall marked packets
> got routed into the tunnel. But they already had the nessecary IP.
> The setup was faulty and not very manageable, that is why I changed to
> shorewall. Which works great, but has this tiny problem :-)
>
>>> We believe, we have some mistake in the NAT setup.
>>> ("shorewall dump" output attached, but we replaced the IP-addresses)
>>>
>>
>> I'm more inclined to suspect an MSS issue.
>>
>>
>>> fw:/etc/shorewall# cat zones
>>> #ZONE TYPE OPTIONS IN OUT
>>> # OPTIONS OPTIONS
>>> fw firewall
>>> net ipv4
>>> loc ipv4
>>> vpn ipsec mode=tunnel mss=1400
>>>
>>
>> You are only clamping the MSS in one direction. Try moving that setting
>> to the OPTIONS column.
>
> Okay, i tried that. The line looks like this now:
>
> vpn ipsec mode=tunnel,mss=1400
>
> But i'm sorry to say. No difference.
> The interesting part is, if I don't do SNAT on the test-tunnel
> performance is very well (like i said in the previous post about 10MB/s).
You said that but it's impossible for us to understand exactly what you
are telling us. Your original post said:
"The remote endpoints (mostly cisco based) require us to SNAT
the IP addresses coming from our LAN to ONE single IP."
And yet you say:
"if I don't do SNAT on the test-tunnel performance is very well
(sic)"
????
I can only guess that means that tunneled connections from the Shorewall
box to the remote subnets have normal performance?
> Any more ideas? Are there other pitfalls with IPSec and Shorewall?
I can recall no case where IPSEC performance issues were not resolved by
MSS clamping. Anyone else?
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Download new Adobe(R) Flash(R) Builder(TM) 4 The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly Flex(R) Builder(TM)) enable the development of rich applications that run across multiple browsers and platforms. Download your free trials today! http://p.sf.net/sfu/adobe-dev2dev
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
