[uanog] slow ipsec between linux and mikrotik

Mon Dec 14 19:01:48 EET 2020

Поможет? -

-------- Forwarded Message --------

Subject: 	Re: [strongSwan] Packet loss in ipsec tunnel
Date: 	Mon, 12 Oct 2020 16:44:30 +0200
From: 	Tobias Brunner <tobias at strongswan.org>
To: 	wax g. <waxitau at gmail.com>, users at lists.strongswan.org

Hi,

> * When is replay-window stats increased ?

Whenever a packet arrives with a sequence number that's lower than the
lower end of the replay window (i.e. with seq < highest_received_seq -
window). Could be an actually delayed packet but might also be because
the window is simply too small for your line speed and traffic pattern,
e.g. because packets arrive so fast and in quick succession that the
window is moved constantly and too quickly so slightly delayed (or
perhaps larger) packets have to be dropped.

> * I've noticed that on devices not experiencing packet losses over the
> ipsec tunnel all the stats = 0 (replay-window, replay & fail).

Yes, those stats indicate errors, so it's good if everything is 0 there.

> * I'm suspecting a replay window issue for received ipsec packets that
> are dropped..

Did you configure a replay window size
(connections.<conn>.children.<child>.replay_window in swanctl.conf)?
The default is 32, which is pretty low.

Regards,

Tobias

On 14.12.2020 15:41, Gregory Edigarov wrote:
> Всем привет,
>
> при копировании большого файла обнаружилась проблема.
> mss/mtu - вроде все сделали, но все равно медленно.
> 1Mбит на 100Mбит канале....
>
> что может быть причиной?
> _______________________________________________
> uanog mailing list
> uanog at uanog.kiev.ua
> https://mailman.uanog.kiev.ua/mailman/listinfo/uanog

-- 
Volodymyr Litovka
   "Vision without Execution is Hallucination." -- Thomas Edison

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.uanog.kiev.ua/pipermail/uanog/attachments/20201214/434c0ed3/attachment.html>