Re: [Users] Performance freeswan

My money is on the excessive packet fragmentation.

If you run IPsec in tunnel mode, it's normally a good idea to have DF (dont fragment) flag copied from the plaintext IP header to the the one prepended by ESP. This allows Path MTU discovery algorithm to function correctly and ensures that packet size does not exceed media MTU after the encryption.

If DF flag is not copied, but reset instead, the traffic will still flow, but excessive fragmentation will degrade the performance quite a bit.

IPsec clients (including IIRC Sentinel) sometimes have an advanced option controlling DF-copying behaviour. It is quite useful to troubleshoot scenarios with buggy *cough*Linksys *cough* routers.

I'd suggested to start with tcpdump'ing the traffic and checking if there are more IP fragments than usual.

Alternately, you can try configuring built-in XP IPsec agent and see if performance improves. If it does, then Sentinel is obviously at fault. Also check that Sentinel is not configured to do any sort of excessive logging or auditing.

/alex

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.freeswan.org Links 1998-fall 1998-spring 1998-summer 1998-winter 1999-winter announce briefs bugs design freeswan-list hipsec ietf-sectest users users-admin Request more information about Pantek

G.T. van Amersfoort wrote:
> Hello,