TCP speed issue inside ipsec tunnel


#1

Hello, we’re experiencing very strange issue with gre over ipsec tunnel. During bandwidth and throughput (iperf) test for created tunnel we’re seeing issues with TCP streams speed it showing about 50-70 Mbit/s, while UDP stream can utilize up to 400 Mbit/s. Baseline WAN throughput is 500Mbit/s, and clear non encrypted gre tunnel showing this amount of throughput.

Both endpoints are Vsphere VMs with 4 vCPUs.
Please check tunnel configs below:

[code]set interfaces tunnel tun0 address ‘172.24.21.10/30’
set interfaces tunnel tun0 description ‘OW’
set interfaces tunnel tun0 encapsulation ‘gre’
set interfaces tunnel tun0 local-ip ‘LOCALWAN’
set interfaces tunnel tun0 mtu ‘1400’
set interfaces tunnel tun0 multicast ‘disable’
set interfaces tunnel tun0 policy route ‘change-mss’
set interfaces tunnel tun0 remote-ip ‘REMOTEWAN’

set vpn ipsec site-to-site peer REMOTEWAN authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer REMOTEWAN authentication pre-shared-secret ‘SECRET’
set vpn ipsec site-to-site peer REMOTEWAN connection-type ‘initiate’
set vpn ipsec site-to-site peer REMOTEWAN default-esp-group ‘IPIP’
set vpn ipsec site-to-site peer REMOTEWAN ike-group ‘IPIP’
set vpn ipsec site-to-site peer REMOTEWAN ikev2-reauth ‘inherit’
set vpn ipsec site-to-site peer REMOTEWAN local-address ‘LOCALWAN’
set vpn ipsec site-to-site peer REMOTEWAN tunnel 0 allow-nat-networks ‘disable’
set vpn ipsec site-to-site peer REMOTEWAN tunnel 0 allow-public-networks ‘disable’
set vpn ipsec site-to-site peer REMOTEWAN tunnel 0 protocol ‘gre’

set vpn ipsec esp-group IPIP compression ‘disable’
set vpn ipsec esp-group IPIP lifetime ‘3600’
set vpn ipsec esp-group IPIP mode ‘transport’
set vpn ipsec esp-group IPIP pfs ‘dh-group2’
set vpn ipsec esp-group IPIP proposal 1 encryption ‘aes128’
set vpn ipsec esp-group IPIP proposal 1 hash ‘sha1’
set vpn ipsec ike-group IPIP dead-peer-detection action ‘restart’
set vpn ipsec ike-group IPIP dead-peer-detection interval ‘15’
set vpn ipsec ike-group IPIP dead-peer-detection timeout ‘30’
set vpn ipsec ike-group IPIP ikev2-reauth ‘no’
set vpn ipsec ike-group IPIP key-exchange ‘ikev1’
set vpn ipsec ike-group IPIP lifetime ‘28800’
set vpn ipsec ike-group IPIP proposal 1 dh-group ‘2’
set vpn ipsec ike-group IPIP proposal 1 encryption ‘aes128’
set vpn ipsec ike-group IPIP proposal 1 hash ‘sha1’

set policy route change-mss rule 1 protocol ‘tcp’
set policy route change-mss rule 1 set tcp-mss ‘1360’
set policy route change-mss rule 1 tcp flags ‘SYN’[/code]

I tried to play with mtu and mss values, tried to change gre to ipip, tried to use different ike,esp configurations, nothing helped.
I’m open to discuss any advises or suggestions

P.S. I’ve tried to install evaluation version of Cisco csr1000v and got around 380 Mbit/s over ipsec with similar configuration even with 2 vCPUs between same locations. This result just to compare.


#2

First thing that comes to mind is TCP window not scaling up enough, so you spend time waiting for ACKs to arrive before sending the next packet, leaving link idle in mean time.


#3

Hi, I understand your idea and I was thinking about the same, but tried to use different approaches to change mss, mtu values.
I tried to apply built-in option, you may see it in configs, tried to add rule manually in iptables mangle postrouting chain
Maybe you can suggest any other option?