[strongSwan] High latencies

[Turbo Fredriksson]

On 19 Sep 2017, at 16:00, Noel Kuntze <noel.kuntze+strongswan-users-ml at thermi.consulting> wrote:

> Check the tcp metrics (ip tcp_metrics) and look at the MSS.

There’s no metrics at all related to mss on either of the VPN instances:

root at jumpbox-london:~# ip tcp_metrics | grep -i mss
root at jumpbox-london:~#

root at jumpbox:~# ip tcp_metrics 2>&1 | grep -i mss
root at jumpbox:~#

> MSS likely found out the right MSS very quickly with the lower MTU.
> Other than guessing, I can't help you, because I have no access to your environment.
> I doubt anybody else can do anything else than that.

Well, the MTU was done more than ten minutes before the
iptable rules and it still didn’t work..

I even tried restarting the tunnel. Didn’t work, I added the iptable rules,
tested - didn’t work. I then reverted those changes and THEN it worked.
For a very brief period.


I can even reproduce it!

    1) Set MTU 1500 on all hosts
    2) Add the iptable rules
    3) Set the MTU to 9001 on all hosts

But

    1) Add the iptable rules

alone doesn’t work! But “kick” the MTU back and forth, and it works. I’m going
to leave it for a while to see if it’s permanent. It’s been working for several minutes
now! :)

Yeah, still works. Spooky!



On 19 Sep 2017, at 16:08, Simon Deziel <simon.deziel at gmail.com> wrote:

> You mentioned EC2 so please double check that your Security Group let
> ICMP go through.

Checked and double checked. All instances allow ICMP ingress and egress.



On 19 Sep 2017, at 16:12, Noel Kuntze <noel.kuntze+strongswan-users-ml at thermi.consulting> wrote:

> Now that you mention it: Also check the Network ACLs

I haven’t modified any NACLs. They’re all standard - allowing everything.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170919/29bfd222/attachment-0001.sig>