[ale] VPN+wireless is *really* slow

Bob Toxen bob at verysecurelinux.com
Tue Mar 18 16:45:58 EST 2003 

On Mon, Mar 17, 2003 at 09:26:03AM -0500, Keith R. Watson wrote:
> At 08:43 PM 3/15/2003 -0700, you wrote:
> >Hi folks,

...
> >However, I have a problem. My favorite thing to do with the XP box is
> >to fire up VNCviewer and use my Linux boxen remotely. But here I am
> >screwed, it seems. If I run the IPsec tunnel over a 10baseT
> >connection, or if I run wifi with no IPsec, VNC works fine. But if I
> >run my VNC session over IPsec+wifi, VNCviewer just sits there forever
> >saying, "Please wait, initial screen loading." Tcpdump reveals that
> >only a tiny fraction of the expected VNC traffic is actually leaving
> >the server (which, incidentaly, lives on my 10baseT LAN behind the
> >IPsec<-->wireless firewall).

> >I suspect this has something to do with MTUs and/or fragmentation, but
> >I could be wrong, and my clue supply has run out. Any help?

Three things tend to greatly slow down tunnelling:

1. TCP tunnelled inside of TCP due to MTUs and retry timings of the
   "inner" and "outer" connections tripping over each other.

2. Lack of tuning for same.

3. Sending screen images across the network (especially less than 10Mbaud)
   instead of sending text.

> >Thanks,

> >-- Joe Knapka

> Joe,

> I've done some testing on the interaction of MTU and VPN traffic. Try 
> lowering your MTU to 1000. If the problem clears up then you have an 
> MTU/VPN conflict. If not then the problem lies elsewhere.

There are many places to tune for performance.  MTUs are just one of them.

> keith
> -------------

> Keith R. Watson                        GTRI/ITD
> Systems Support Specialist III         Georgia Tech Research Institute
> keith.watson at gtri.gatech.edu           Atlanta, GA  30332-0816
> 404-894-0836

Best regards,

Bob Toxen, CTO
Fly-By-Day Consulting, Inc.
"Your expert in Firewalls, Virus and Spam Filters, VPNs,
Network Monitoring, and Network Security consulting"
bob at verysecurelinux.com (e-mail)
+1 770-662-8321  (Office)

I'll be giving talks on computer security at IBM's Linux Competency Center
in New York City on March 6 and at the "Real World Linux" conference in
Toronto on April 30.

Author,
"Real World Linux Security: Intrusion Detection, Prevention, and Recovery"
2nd Ed., Prentice Hall, (C) 2003, 848 pages, ISBN: 0130464562

http://www.verysecurelinux.com       [Network & Linux/Unix Security Consulting]
http://www.realworldlinuxsecurity.com [My 5* book: "Real World Linux Security"]
http://www.verysecurelinux.com/sunset.html                    [Sunset Computer]
Quality Linux, UNIX and network security and software consulting since 1990.
_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale

More information about the Ale mailing list