You can check the routes using a different protocol as we do when checking GRE (prot 47) packets with PPTP. Not sure the version of traceroute needed or how to run the command as I've never needed to.
thanks, George Vieira Systems Manager Citadel Computer Systems P/L http://www.citadelcomputer.com.au -----Original Message----- From: Howard Lowndes [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 16 2002 6:43 AM To: Mail List - SLUG; Mail List - CLUG Subject: [SLUG] IPSec tunnel latency I have a number of sites with freeS/WAN IPSec tunnels running on them, mostly with little or no problem, except for one. All of the tunnel configs are identical and all have compression running. In most cases the tunnel adds a latency of around 15msec where the links are ADSL to ADSL; typically 50-60msec out of tunnel -v- 65-75msec in tunnel. In all of these cases the gateways are 500+MHz CPUs with 64+Mb Ram and running either 2.4.5 or 2.4.8 kernels. One is an ADSL to PSTN tunnel where the PSTN end is on a P120 with 64Mb. Here the latency is 150msec -v- 190msec. I could put this 40msec difference down to the P120, but it does seem a little excessive even so. The really bummer is an ADSL to PSTN link where the PSTN end is on a 733MHz CPU with 128Mb so there should be no CPU bottleneck, but the latencies are 220MHz out of tunnel -v- 460MHz in tunnel; a tunnel latency of 240msec. The kernel version here is 2.4.5, but earlier reference does not show that as a problem as one of the good links is also running 2.4.5 -v- 2.4.8 on most of the rest. BTW, all of these times are average over a 3 hour period, and pretty consistent. The only explanation I can come up with is that the PSTN modem is really barfing about handling protocol 50, or something in the circuits in between is barfing about protocol 50. Would anyone care to make a stab in the dark on this one before I do a 250km trip to replace the modem. One stab in the dark - would there be any possibility that the routing between these two particular sites�might differ depending upon the type of protocol being handled. I am measuring these by pinging the sites, but the out of tunnel packets would be seen in the circuits as protocol 17 (ICMP) whereas the in tunnel packets would be being seen as protocol 50. Could these proto 50 packets be being routed via a bird whereas the proto 17 packets are being ground routed? -- Howard. LANNet Computing Associates - Your Linux people Contact detail at http://www.lannetlinux.com "We are either doing something, or we are not. 'Talking about' is a subset of 'not'." -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
