Re: [Shorewall-users] IPSec + SNAT (bad performance)

Fri, 15 Oct 2010 16:40:32 -0700 

On Fri, Oct 15, 2010 at 03:58:38PM -0700, Tom Eastep wrote:
> You said that but it's impossible for us to understand exactly what you
> are telling us. Your original post said:
> 
>       "The remote endpoints (mostly cisco based) require us to SNAT
>       the IP addresses coming from our LAN to ONE single IP."
> 
> And yet you say:
> 
>       "if I don't do SNAT on the test-tunnel performance is very well
>       (sic)"
> 
> ????

Well, lost in translation, i guess.

I'm having this error for a while now and i'm trying to locate the error.
We have about 12 tunnels with very similar configuration, that all need
SNAT. We cannot change the config on the endpoints, because they are not
ours.

But i've setup another machine as (test)endpoint, which has exactly the
same configuration to reproduce the error. There i tried both: with SNAT
(bad performance) and without SNAT. In the last case everything is fine.
That is why i think it has something to do with the SNAT.

> I can only guess that means that tunneled connections from the Shorewall
> box to the remote subnets have normal performance?

No, normal performance from subnet to subnet, when turning of SNAT, which
is not possible on the production tunnels, but only on my test connection.

> > Any more ideas? Are there other pitfalls with IPSec and Shorewall?
> 
> I can recall no case where IPSEC performance issues were not resolved by
> MSS clamping. Anyone else?

Maybe i'm not getting the full idea of MSS clamping. Can you see
misconfigured MSS, for example with tcpdump?  I will re-read the
documentation on mss option in shorewall.


Sorry for the misunderstandings, it's a bit difficult for me to explain
this complicated scenario in my non-native language.

I very much appreciate your help, really, since i'm a bit lost.


Greetings,
    Jörg 



------------------------------------------------------------------------------
Download new Adobe(R) Flash(R) Builder(TM) 4
The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly 
Flex(R) Builder(TM)) enable the development of rich applications that run
across multiple browsers and platforms. Download your free trials today!
http://p.sf.net/sfu/adobe-dev2dev
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to