[SLUG] IPSec tunnel latency

George Vieira GeorgeV at citadelcomputer.com.au
Wed Jan 16 07:55:11 EST 2002 

You can check the routes using a different protocol as we do when checking
GRE (prot 47) packets with PPTP. Not sure the version of traceroute needed
or how to run the command as I've never needed to.

thanks,
George Vieira
Systems Manager
Citadel Computer Systems P/L
http://www.citadelcomputer.com.au


-----Original Message-----
From: Howard Lowndes [mailto:lannet at lannet.com.au]
Sent: Wednesday, January 16 2002 6:43 AM
To: Mail List - SLUG; Mail List - CLUG
Subject: [SLUG] IPSec tunnel latency


I have a number of sites with freeS/WAN IPSec tunnels running on them,
mostly with little or no problem, except for one.

All of the tunnel configs are identical and all have compression running.

In most cases the tunnel adds a latency of around 15msec where the links
are ADSL to ADSL; typically 50-60msec out of tunnel -v- 65-75msec in
tunnel.  In all of these cases the gateways are 500+MHz CPUs with 64+Mb
Ram and running either 2.4.5 or 2.4.8 kernels.

One is an ADSL to PSTN tunnel where the PSTN end is on a P120 with 64Mb.
Here the latency is 150msec -v- 190msec.  I could put this 40msec
difference down to the P120, but it does seem a little excessive even so.

The really bummer is an ADSL to PSTN link where the PSTN end is on a
733MHz CPU with 128Mb so there should be no CPU bottleneck, but the
latencies are 220MHz out of tunnel -v- 460MHz in tunnel; a tunnel latency
of 240msec.  The kernel version here is 2.4.5, but earlier reference does
not show that as a problem as one of the good links is also running 2.4.5
-v- 2.4.8 on most of the rest.

BTW, all of these times are average over a 3 hour period, and pretty
consistent.

The only explanation I can come up with is that the PSTN modem is really
barfing about handling protocol 50, or something in the circuits in
between is barfing about protocol 50.

Would anyone care to make a stab in the dark on this one before I do a
250km trip to replace the modem.

One stab in the dark - would there be any possibility that the routing
between these two particular sites might differ depending upon the type of
protocol being handled.  I am measuring these by pinging the sites, but
the out of tunnel packets would be seen in the circuits as protocol 17
(ICMP) whereas the in tunnel packets would be being seen as protocol 50.
Could these proto 50 packets be being routed via a bird whereas the proto
17 packets are being ground routed?

-- 
Howard.
LANNet Computing Associates - Your Linux people
Contact detail at http://www.lannetlinux.com
 "We are either doing something, or we are not.
 'Talking about' is a subset of 'not'."

-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug

More information about the linux mailing list