Configuring the CCR was quite easy, including different vlans, routing, firewall chains and ipsec, but the ipsec throughput is a bit disappointing.
My cable connection should be able to push 200 Mbps (down) / 40 Mbps (up) and routed/natted the CCR does this at ease. After reading http://wiki.mikrotik.com/wiki/Manual:IP ... encryption i expected the CCR to forward/encrypt ipsec traffic at the same speed as plain traffic.
With AES256 + SHA1 i'm hardly able to get 10 Mbps and with 3des a single transfer slowly creeps up to 30 Mbps. A cisco ASA5540 serves as VPN concentrator which has 1Gbps of bandwith. The old ASA5505 was able to encrypt/ipsec at 100Mbps and the CCR is configured as drop-in replacement for the ASA5505 so the ipsec configuration was to match the old configuration.
Phase1 AES256 + SHA1 + DH Group 5
Phase2 AES256 + SHA1 (no pfs)
Looking at the ipsec statistics *something* seems wrong. But so far i haven't been able to figure out what. Do i have to lower my expectations or should i be able to push 200Mbps / 40 Mbps ipsec traffic with the CCR ?
Code: Select all
[admin@MikroTik] /ip ipsec statistics> print
in-errors: 0
in-buffer-errors: 0
in-header-errors: 0
in-no-states: 0
in-state-protocol-errors: 9
in-state-mode-errors: 0
in-state-sequence-errors: 43105
in-state-expired: 0
in-state-mismatches: 0
in-state-invalid: 0
in-template-mismatches: 16591
in-no-policies: 0
in-policy-blocked: 0
in-policy-errors: 0
out-errors: 0
out-bundle-errors: 0
out-bundle-check-errors: 0
out-no-states: 866
out-state-protocol-errors: 297
out-state-mode-errors: 0
out-state-sequence-errors: 0
out-state-expired: 297
out-policy-blocked: 0
out-policy-dead: 0
out-policy-errors: 0
Code: Select all
[admin@MikroTik] /ip ipsec> peer print
Flags: X - disabled, D - dynamic
0 address=[Colo ASA5540] local-address=0.0.0.0 passive=no port=500 auth-method=pre-shared-key secret=":)" generate-policy=no policy-template-group=default exchange-mode=main send-initial-contact=yes
nat-traversal=no proposal-check=obey hash-algorithm=sha1 enc-algorithm=aes-256 dh-group=modp1536 lifetime=1d lifebytes=0 dpd-interval=2m dpd-maximum-failures=1
[admin@MikroTik] /ip ipsec> proposal print
Flags: X - disabled, * - default
0 * name="default" auth-algorithms=md5,sha1,sha256,null enc-algorithms=3des,aes-128-cbc,aes-256-cbc,camellia-256,aes-256-ctr lifetime=30m pfs-group=modp1024
1 name="asa5540" auth-algorithms=sha1 enc-algorithms=aes-256-cbc lifetime=30m pfs-group=none
[admin@MikroTik] /ip ipsec> policy print
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default
0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes
1 src-address=[public subnet] src-port=any dst-address=0.0.0.0/0 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=[CCR Wan address] sa-dst-address=[Colo ASA5540] proposal=asa5540
priority=0
