[IPsec] Weird performance issue via IPsec/racoon tunnel

[Michael Grimm]

Eugene Grosbein <eugen at grosbein.net> wrote:
> 11.12.2017 2:54, Michael Grimm wrote:


>> *BUT* if I do boot with the default 1500 setting,
>> changing the MTU to e.g. 1450 and *immediately* back to 1500 manually,
>> I do not encounter any performance loss at all. Why?
>> Even when booting 1490 and immediately setting the MTU manually to 1500 I do not see any performance loss. Strange.
> 
> Interface MTU is used to assing 'mtu' attribute to corresponding route in the system routing table.
> Lowering interface MTU lowers route mtu, but raising interface MTU does *not* raises route mtu,
> use "route -n get" command to check it out. So, you still use low mtu really.

Bingo! 

	NEW> ifconfig vtnet0
	vtnet0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1490

	NEW> route -n get freebsd.org
	...
	 recvpipe  sendpipe  ssthresh  rtt,msec    mtu        weight    expire
	       0         0         0         0      1490         1         0 

	NEW> ifconfig vtnet0 mtu 1500 up
	NEW> ifconfig vtnet0
	vtnet0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500

	NEW> route -n get spiegel.de
	...
	 recvpipe  sendpipe  ssthresh  rtt,msec    mtu        weight    expire
	       0         0         0         0      1490         1         0 


I didn't know that. And that explains all my observations.

>> Hmm, how would one check that? The output is to fast for me ;-) Seriously, how should one check this?
> 
> With your eyes :-) Use tcpdump -c flag to limit number of lines, redirect output to a file
> and carefully compare some packets using their ID that tcpshow shows.

Ok. I will do that at some later time ;-)

I'd like to thank you again for your input and with kind regards,
Michael