[strongSwan] Troubleshooting VPN performance

Noel Kuntze noel at familie-kuntze.de
Tue Apr 4 20:59:46 CEST 2017

Hello Zach,

On 30.03.2017 07:58, Zach Cutlip wrote:
> Hello,
> I'm using StrongSwan in a road warrior configuration that allows me to
> VPN all my smartphone and laptop traffic through my home internet
> connection. When I'm away from home, my devices automatically connect
> from my MacBook and iPhone.
> This works really well, with speeds generally approaching my home
> internet service's upstream limit of 10Mbps, which is the bottleneck.
> The only exception is when I'm on the commuter bus to and from work
> using the bus's WiFi. The on-bus WiFi's speed without the VPN
> connected is generally around 15-30 Mbps, as tested by fast.com (over
> HTTPS, so caching shouldn't be an issue) as well as ssh/scp. However,
> when I connect to the VPN while on the bus, the performance becomes
> nearly unusable; less than 1Mbps, sometimes around a few hundred Kbps.
> In case it matters, I'm guessing the bus uses some sort of cellular
> backhaul. The public IP address block belongs to Clearwire, which I
> think is owned by Sprint.
> I'm not sure how I would begin troubleshooting this:
> - Is there any particular way should I configure logging on either the
> server or the client?
> - Are there any particular things I should look for in the longs?
> - Is there anything I should look for in packet captures either on the
> client or the server?
> - Any other things I should look for?
> Thanks,
> Zach

Try lowering the MSS and MTU inside the tunnel to

1200 and 1300. There might be some MSS fixing happening on the
mobile backhaul.

You can use the instructions from the wiki to get a good traffic dump.
I guess there are simply a lot of retransmissions, because of the dropped
packets and nothing more. Maybe the WiFi does aggressive QoS
and drops all the ESP/UDPENCAP packets.


Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 866 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170404/792521d3/attachment.sig>

More information about the Users mailing list