[strongSwan] Troubleshooting VPN performance

Noel Kuntze noel at familie-kuntze.de
Mon Apr 10 16:45:49 CEST 2017

On 10.04.2017 16:40, Zach Cutlip wrote:
> Just to clarify: are you referring to
> charon.plugins.kernel-netlink.mss and
> charon.plugins.kernel-netlink.mtu?

You can set the MSS on the strongSwan host using iptables[1][2].

For the MTU. You very likely want to do that on the client.
The strongSwan android app honors that.

Setting charon.plugins.kernel-netlink.mss only has significance for connections
that are initiated by the host running strongSwan
and using charon.plugins.kernel-netlink.mtu just flat out breaks
connectivity for IPsec peers with remote hosts that don't honor ICMP fragmentation needed
messages (Instagram, for example). :(

> Do the clients require any configuration change?

See above.

[1] https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling#MTUMSS-issues
[2] https://strongswan.net/blog/how-to-resolve-mtu-issue-with-ipsec-tunnel/

> On Tue, Apr 4, 2017 at 11:59 AM, Noel Kuntze <noel at familie-kuntze.de> wrote:
>> Hello Zach,
>> On 30.03.2017 07:58, Zach Cutlip wrote:
>>> Hello,
>>> I'm using StrongSwan in a road warrior configuration that allows me to
>>> VPN all my smartphone and laptop traffic through my home internet
>>> connection. When I'm away from home, my devices automatically connect
>>> from my MacBook and iPhone.
>>> This works really well, with speeds generally approaching my home
>>> internet service's upstream limit of 10Mbps, which is the bottleneck.
>>> The only exception is when I'm on the commuter bus to and from work
>>> using the bus's WiFi. The on-bus WiFi's speed without the VPN
>>> connected is generally around 15-30 Mbps, as tested by fast.com (over
>>> HTTPS, so caching shouldn't be an issue) as well as ssh/scp. However,
>>> when I connect to the VPN while on the bus, the performance becomes
>>> nearly unusable; less than 1Mbps, sometimes around a few hundred Kbps.
>>> In case it matters, I'm guessing the bus uses some sort of cellular
>>> backhaul. The public IP address block belongs to Clearwire, which I
>>> think is owned by Sprint.
>>> I'm not sure how I would begin troubleshooting this:
>>> - Is there any particular way should I configure logging on either the
>>> server or the client?
>>> - Are there any particular things I should look for in the longs?
>>> - Is there anything I should look for in packet captures either on the
>>> client or the server?
>>> - Any other things I should look for?
>>> Thanks,
>>> Zach
>> Try lowering the MSS and MTU inside the tunnel to
>> 1200 and 1300. There might be some MSS fixing happening on the
>> mobile backhaul.
>> You can use the instructions from the wiki to get a good traffic dump.
>> I guess there are simply a lot of retransmissions, because of the dropped
>> packets and nothing more. Maybe the WiFi does aggressive QoS
>> and drops all the ESP/UDPENCAP packets.
>> --
>> Mit freundlichen Grüßen/Kind Regards,
>> Noel Kuntze
>> GPG Key ID: 0x63EC6658
>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> -- :wq!


Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 866 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170410/7b2698d8/attachment.sig>

More information about the Users mailing list