[strongSwan] Packet loss in ipsec tunnel
Tobias Brunner
tobias at strongswan.org
Mon Oct 12 16:44:30 CEST 2020
Hi,
> * When is replay-window stats increased ?
Whenever a packet arrives with a sequence number that's lower than the
lower end of the replay window (i.e. with seq < highest_received_seq -
window). Could be an actually delayed packet but might also be because
the window is simply too small for your line speed and traffic pattern,
e.g. because packets arrive so fast and in quick succession that the
window is moved constantly and too quickly so slightly delayed (or
perhaps larger) packets have to be dropped.
> * I've noticed that on devices not experiencing packet losses over the
> ipsec tunnel all the stats = 0 (replay-window, replay & fail).
Yes, those stats indicate errors, so it's good if everything is 0 there.
> * I'm suspecting a replay window issue for received ipsec packets that
> are dropped..
Did you configure a replay window size
(connections.<conn>.children.<child>.replay_window in swanctl.conf)?
The default is 32, which is pretty low.
Regards,
Tobias
More information about the Users
mailing list