Visit Jeremy's Blog.
Go Back > Forums > Linux Forums > Linux - Networking
User Name
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.


  Search this Thread
Old 11-18-2014, 10:47 PM   #1
Registered: Aug 2011
Location: USA
Distribution: ArchLinux - 3.0 kernel
Posts: 349

Rep: Reputation: Disabled
Strongswan-to-Strongswan IPsec VPN - slow with pure ESP, fast w/UDP encapsulation?

So a bit of a weird one. I've been working over the past few months with Strongswan on ArchLinux. I've succeeded in establishing a site-to-site x509 certificate-based VPN between 2 Arch machines acting as routers, at 2 different Comcast sites. I'm not using L2TP, just pure IPsec ESP without any encapsulation. Everything gets established correctly, and the connection has stayed up for several weeks now. However, I ran into a problem with the bandwidth of traffic over the VPN being very erratic - iperf testing yielded wide variations in ~25%-50% of the allotted bandwidth given by Comcast.

I bashed my head in for a while, trying different MTUs and MSS window limiting, all to no effect. Finally, I had the wildcard idea to force NAT-T UDP encapsulation... and the speeds increased dramatically, up to ~95% of bandwidth of non-VPN traffic. I will say that in my internal testing, connecting the router's "WAN" ports together with an ethernet cable & configuring the VPN between them that way, that I never saw that behvaior. It was only when I moved the routers to the actual Comcast connection that I saw the reduced speeds.

So why did enabling UDP encapsulation improve the speed? Could there be some device on Comcast's network that is ineffecient at processing standard ESP packets, but has no problem with UDP-encapsulated ESP packets?


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
StrongSWAN L2TP IPSec VPN with PSK and DynDNS configuration chridazi Linux - Server 3 10-17-2012 05:41 AM
LXer: IPSEC split tunneling VPN with Mac OSX and Strongswan 5 on Centos/RHEL 6 LXer Syndicated Linux News 0 09-01-2012 09:11 PM
LXer: Iphone/Ipad/Mac OSX IPSEC VPN with Strongswan 5 on Centos/RHEL 6 LXer Syndicated Linux News 0 08-24-2012 02:20 AM
strongswan ipsec culin Linux - Networking 4 08-16-2011 11:31 PM > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 01:48 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration