Issue #3053

ipsec statusall accounted data

Added by Antonio Mancina 11 months ago. Updated 6 months ago.

Affected version:
No change required


In the last few days, I tried to extract a bit of statistics from my local test platform using the ipsec facilities and some independent monitoring tools.

In one of my last tests, I ran an iperf-based test from one client to the ipsec concentrator. The client completed its session with the following statistics:

# iperf -c -u -b 100000 -t 20
Client connecting to, UDP port 5001
Sending 1470 byte datagrams
UDP buffer size:  208 KByte (default)
[  3] local port 47325 connected with port 5001
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0-20.2 sec   245 KBytes  99.4 Kbits/sec
[  3] Sent 172 datagrams

The IPSEC tunnel is configured with the compression enabled. The ipsec statusall command prints the following data (only meaningful part here):

 tunnel_base{1}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c24cd01c_i c5ba4eb9_o, IPCOMP CPIs: 0fb4_i e8dd_o
 tunnel_base{1}:  AES_CBC_192/HMAC_SHA2_384_192, 0 bytes_i, 15295 bytes_o (180 pkts, 18s ago), rekeying in 3 hours
 tunnel_base{1}: ===

so there are a bit more packets than iperf UDP generated ones but much less data transmitted (efficient compression). The amount there written is about 15kB of data.

At the same time, I ran a TCPDUMP on the output interface and computed the sum of the Length field. A sample extraction follows:

02:30:05.594572 50:ed:94:00:07:61 > e0:dd:0a:ff:00:01, ethertype IPv4 (0x0800), length 178: (tos 0x0, ttl 64, id 35517, offset 0, flags [none], proto ESP (50), length 164) > ESP(spi=0xc5ba4eb9,seq=0xa4), length 144

I took all the parts like the last length 144 (which represent the IP payload length) and computed their sum. I get exactly 180 captured bytes but 25920 bytes for the same transmission.

Is this difference something expected? Am I doing something wrong?

Thanks in advance.


#1 Updated by Tobias Brunner 11 months ago

  • Status changed from New to Feedback

See IPComp.

#2 Updated by Antonio Mancina 11 months ago

Tobias Brunner wrote:

See IPComp.

I was aware of that page, but either it contains some details which I am not reading correctly or it covers a different aspect.

Regardless of the compression threshold (iperf is generating packets which are bigger than 90 bytes, so ipsec is compressing everything), would you please help me understanding how ipsec statusall and manually collected tcpdump-based statistics differ and why?

I would tend to trust the tcpdump-based more, since they represent the traffic leaving the interface, but I would like to be sure about this.

#3 Updated by Tobias Brunner 11 months ago

would you please help me understanding how ipsec statusall and manually collected tcpdump-based statistics differ and why?

The former counts the compressed cleartext data (i.e. what you get via ip -s xfrm state), the latter the actually sent ESP packets (in tunnel mode with additional IP, with NAT with additional UDP header).

#4 Updated by Tobias Brunner 6 months ago

  • Category set to documentation
  • Status changed from Feedback to Closed
  • Assignee set to Tobias Brunner
  • Resolution set to No change required

Also available in: Atom PDF