[Swan] subnet to subnet IPv6 very slow

Fri, 13 Nov 2015 13:11:40 -0800 

Hello,

I am trying to deploy an IPv4 ipsec tunnel to carry IPv6 between our
main location and a server we rent in Canada running as a KVM host with
two virtual machines.  We have IPv6 fully deployed in both locations so
the purpose is only to secure the communication.

Traffic from a virtual machine routed to the VM host/ipsec router then
through the tunnel is VERY slow.  Measured with nuttcp traffic through
the tunnel averages less than 200 Kb/sec while traffic outside the
tunnel averages 91 Mb.  Traffic from the host directly averages 79 Mb
through tunnel.

Wireshark shows a high percentage of TCP retransmissions for the slow
transfer.  Neither router shows any load.

The setup looks like this:

"LAN A" <--> "ipsec router A" <--> "ipsec router B (and VM host)" <-->
"VM instances"

On ipsec router A I have:

        conn hac-vmh1-v6subnet
                also=tev-ipsec-TO-hac-vmh1
                connaddrfamily=ipv6
                leftsubnet=2607:fe90:1::/64
                rightsubnet=2607:fe90:8002:1::/64
                auto=start
        conn tev-ipsec-TO-hac-vmh1
                leftid=@tev-ipsec
                left=216.239.131.43
                leftrsasigkey=....
                rightid=@hac-vmh1
                right=74.82.222.90
                rightrsasigkey=....
                authby=rsasig

On ipsec router B I have:

        conn hac-vmh1-v6subnet
                also=tev-ipsec-TO-hac-vmh1
                connaddrfamily=ipv6
                leftsubnet=2607:fe90:1::/64
                rightsubnet=2607:fe90:8002:1::/64
                auto=start
        conn tev-ipsec-TO-hac-vmh1
                leftid=@tev-ipsec
                left=216.239.131.43
                leftrsasigkey=....
                rightid=@hac-vmh1
                right=74.82.222.90
                rightrsasigkey=....
                authby=rsasig

On the VM instances, I put a route to source the traffic from the
2607:fe90:8002:1::/64 subnet.

To rule out the internal switching in the host for the virtual machines,
I installed another server on the same VLAN with 'ipsec router B' as its
gateway.  It too is almost unusable through the tunnel.

I have tried all recommendations to adjust MTU with no affect.

All systems run CentOS 7 with libreswan 3.15.  Everything on 'ipsec
verify' is in the green.  Is there another setting needed when the
libreswan server is used as the gateway for other systems?  Is there a
known issue with subnet to subnet tunnels?

Thank you in advance for any assistance.

Thanks,
James
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan

Reply via email to