IPSEC link in Ad-Hoc WIFI link very slow

Hello.

I have two laptops; one of them is connected to the internet, and acts as a
router for the other.

I'm using kernel 2.6.24 on both machines.

As both laptop only have one ethernet port, and are WIFI-able, I hook up the
router to the internet through its ethernet port, and the laptops
communicate through WIFI.

As I wanted to secure their exchanges, I set up an IPSEC link between them.
I gave the router 192.168.1.3 for its IP, and 192.168.1.4 to the client.

To route the packets, I set up 192.168.1.3 (the router) this way:

/usr/local/sbin/dnsmasq
echo 1 > /proc/sys/net/ipv4/ip_forward
modprobe ipt_MASQUERADE
/usr/sbin/iptables -F
/usr/sbin/iptables -t nat -F
/usr/sbin/iptables -t mangle -F
/usr/sbin/iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to <IP_of_the_internet_modem>
echo 1 > /proc/sys/net/ipv4/ip_forward
/usr/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/usr/sbin/iptables -A INPUT -m state --state NEW -i ! eth0 -j ACCEPT
/usr/sbin/iptables -P INPUT DROP
/usr/sbin/iptables -A FORWARD -i eth0 -o eth0 -j REJECT

To make sure that the only valid address on 192.68.1.* was that of the
client, I added these rules to the firewall:

/usr/sbin/iptables -A INPUT -s 192.168.1.4 -j ACCEPT
/usr/sbin/iptables -A INPUT -s 192.168.1.0/255.255.255.0 -j REJECT
/usr/sbin/iptables -A OUTPUT -s 192.168.1.3 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -s 192.168.1.0/255.255.255.0 -j REJECT

However my WIFI link between the two laptops is very slow: when I ssh from
the client to the router I have about 1 character-per-second typing and echo
rate.

Is my config flawed? How can I speed it up?

Thanks!

--
Fabrice DELENTE

On Nov 7, 9:23*am, Fabrice Delente <fdele...@mail.cpod.fr> wrote:
> Hello.
>
> I have two laptops; one of them is connected to the internet, and acts asa
> router for the other.
>
> I'm using kernel 2.6.24 on both machines.
>
> As both laptop only have one ethernet port, and are WIFI-able, I hook up the
> router to the internet through its ethernet port, and the laptops
> communicate through WIFI.
>
> As I wanted to secure their exchanges, I set up an IPSEC link between them.
> I gave the router 192.168.1.3 for its IP, and 192.168.1.4 to the client.
>
> To route the packets, I set up 192.168.1.3 (the router) this way:
>
> /usr/local/sbin/dnsmasq
> echo 1 > /proc/sys/net/ipv4/ip_forward
> modprobe ipt_MASQUERADE
> /usr/sbin/iptables -F
> /usr/sbin/iptables -t nat -F
> /usr/sbin/iptables -t mangle -F
> /usr/sbin/iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to <IP_of_the_internet_modem>
> echo 1 > /proc/sys/net/ipv4/ip_forward
> /usr/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> /usr/sbin/iptables -A INPUT -m state --state NEW -i ! eth0 -j ACCEPT
> /usr/sbin/iptables -P INPUT DROP
> /usr/sbin/iptables -A FORWARD -i eth0 -o eth0 -j REJECT
>
> To make sure that the only valid address on 192.68.1.* was that of the
> client, I added these rules to the firewall:
>
> /usr/sbin/iptables -A INPUT -s 192.168.1.4 -j ACCEPT
> /usr/sbin/iptables -A INPUT -s 192.168.1.0/255.255.255.0 -j REJECT
> /usr/sbin/iptables -A OUTPUT -s 192.168.1.3 -j ACCEPT
> /usr/sbin/iptables -A OUTPUT -s 192.168.1.0/255.255.255.0 -j REJECT
>
> However my WIFI link between the two laptops is very slow: when I ssh from
> the client to the router I have about 1 character-per-second typing and echo
> rate.
>
> Is my config flawed? How can I speed it up?

I would not suspect the iptables config to cause slowness. It will
either block 100% or let through speedily.

Just to make sure, you should try briefly with the firewall disabled.
If you are very worried about the security, use netstat -atp and
netstat -utp, and kill all programs that listen on any interface other
than the loopback interface (127.0.0.1).

Try to set up masquerading as per rustys unreliable guides, instead of
postrouting snat.

Try something not involving IPSEC, and see how fast that is.

You could try ping -i 0.2, and you could try ping -f. Man ping.

Regards

Cacadril <(E-Mail Removed)> wrote:
<snip>

Ok, thanks! I will try that.

--
Fabrice DELENTE