Hi Aric, Thanks for the reply. That sounds about right, I'm getting about 7Mbit of IPsec traffic. I have tried turning on/off ipcomp with no real improvement. For this particular tunnel I'm now needing more throughput. I've been looking at the net6501 and am considering giving it a try.
Regards, Brandan -----Original Message----- From: Aric Warsaw [mailto:[email protected]] Sent: Friday, December 09, 2011 3:43 PM To: Brandan Rowley Cc: [email protected] Subject: Re: [Soekris] vr0 using OpenBSD stops responding. Hi Brandan I've experienced just this even with the crypto accelerator card. That was back on OpenBSD 4.8. I've found that about 8-10Mbit of IPsec traffic is all you're going to get out of these guys...your mileage may vary. Taking IPsec full throttle for 30 minutes or longer was causing my 5501 to fall off the network....lost layer 2 and serial to the box entirely. My work around was to QoS the IPsec traffic down. Another option that I hadn't done personally and assuming you've enabled ipcomp, you can turn it off to save CPU resources. Again hadn't done it. Most IPsec documentation for OpenBSD tells you to enable this in /etc/sysctl.conf, so it might break your flows and SAs. This is the setting: net.inet.ipcomp.enable=1 # 0 to disable or just comment out the line Let us know if you try it and notice a difference. Hope that helps. -Aric 2011/12/9 Brandan Rowley <[email protected]>: > Hi, > > I am new to the list so be gentle if this has been posted already. I > am using two net5501 (with the VPN chip) running OpenBSD 4.9 to setup > a VPN tunnel. The tunnel has been up and running for a while. We've > recently added Windows 7 PC to the network. Performing file transfers > from the Windows 7 PC's across the VPN tunnel causes the internal > interface of the > net5501 to stop responding. A reboot is needed to get the interface > communicating again. This repeatable. Windows XP clients have no issues. > Is this a fix or workaround for this? I've tried OpenBSD 5.0 and read > of similar issues on OpenBSD, but have not found a resolution. > > Regards, > Brandan > > > _______________________________________________ > Soekris-tech mailing list > [email protected] > http://lists.soekris.com/mailman/listinfo/soekris-tech > _______________________________________________ Soekris-tech mailing list [email protected] http://lists.soekris.com/mailman/listinfo/soekris-tech
