You can try esp=aes_gcm128-null which is the fastest good crypto algo to use but I'm not sure if that is your real problem
Sent from my iPhone > On Nov 14, 2015, at 06:04, James Fromm <[email protected]> wrote: > > Hello, > > I am trying to deploy an IPv4 ipsec tunnel to carry IPv6 between our > main location and a server we rent in Canada running as a KVM host with > two virtual machines. We have IPv6 fully deployed in both locations so > the purpose is only to secure the communication. > > Traffic from a virtual machine routed to the VM host/ipsec router then > through the tunnel is VERY slow. Measured with nuttcp traffic through > the tunnel averages less than 200 Kb/sec while traffic outside the > tunnel averages 91 Mb. Traffic from the host directly averages 79 Mb > through tunnel. > > Wireshark shows a high percentage of TCP retransmissions for the slow > transfer. Neither router shows any load. > > The setup looks like this: > > "LAN A" <--> "ipsec router A" <--> "ipsec router B (and VM host)" <--> > "VM instances" > > On ipsec router A I have: > > conn hac-vmh1-v6subnet > also=tev-ipsec-TO-hac-vmh1 > connaddrfamily=ipv6 > leftsubnet=2607:fe90:1::/64 > rightsubnet=2607:fe90:8002:1::/64 > auto=start > conn tev-ipsec-TO-hac-vmh1 > leftid=@tev-ipsec > left=216.239.131.43 > leftrsasigkey=.... > rightid=@hac-vmh1 > right=74.82.222.90 > rightrsasigkey=.... > authby=rsasig > > On ipsec router B I have: > > conn hac-vmh1-v6subnet > also=tev-ipsec-TO-hac-vmh1 > connaddrfamily=ipv6 > leftsubnet=2607:fe90:1::/64 > rightsubnet=2607:fe90:8002:1::/64 > auto=start > conn tev-ipsec-TO-hac-vmh1 > leftid=@tev-ipsec > left=216.239.131.43 > leftrsasigkey=.... > rightid=@hac-vmh1 > right=74.82.222.90 > rightrsasigkey=.... > authby=rsasig > > On the VM instances, I put a route to source the traffic from the > 2607:fe90:8002:1::/64 subnet. > > To rule out the internal switching in the host for the virtual machines, > I installed another server on the same VLAN with 'ipsec router B' as its > gateway. It too is almost unusable through the tunnel. > > I have tried all recommendations to adjust MTU with no affect. > > All systems run CentOS 7 with libreswan 3.15. Everything on 'ipsec > verify' is in the green. Is there another setting needed when the > libreswan server is used as the gateway for other systems? Is there a > known issue with subnet to subnet tunnels? > > Thank you in advance for any assistance. > > Thanks, > James > _______________________________________________ > Swan mailing list > [email protected] > https://lists.libreswan.org/mailman/listinfo/swan _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
