Date: Fri, 04 Sep 2015 03:15:43 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 202885] IPsec performance problems with fragmented ESP and packet loss Message-ID: <bug-202885-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=202885 Bug ID: 202885 Summary: IPsec performance problems with fragmented ESP and packet loss Product: Base System Version: 11.0-CURRENT Hardware: Any OS: Any Status: New Severity: Affects Many People Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: cmb@pfsense.org Take the following setup: [LAN A] -- (host A) -- [WAN] -- (host B) -- [LAN B] Where "host A" and "host B" are 11-CURRENT boxes as of Sept 2, running GENERIC-NODEBUG. Setup IPsec tunnel between the two, to route between LAN A and B. Doesn't matter what specifics are used in the IPsec config. Where hosts on the LAN sides have their MTU at 1500, so ESP traffic ends up being fragmented, and there is packet loss on WAN, serious performance problems are encountered. With no loss on WAN, no issue. Do the following on host A: ipfw pipe 1 config 100Mbit/s ipfw pipe 2 config 100Mbit/s ipfw add 10 pipe 1 ip from any to 1.2.3.4 ipfw add 11 pipe 2 ip from 1.2.3.4 to any where its WAN IP is 1.2.3.4, and push some traffic over the VPN. I'm doing 'fetch -o /dev/null ...' from a web server on the opposite side. Your throughput drops off to near 0 repeatedly. Wireshark I/O graph showing this: https://files.pfsense.org/cmb/100m-limit-frag.png change the MTU on the LAN hosts to 1350 to eliminate ESP fragmentation and you get the expected steady throughput: https://files.pfsense.org/cmb/100m-limit-no-frag.png -- You are receiving this mail because: You are the assignee for the bug.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-202885-8>