Hi,

we're using RouterOS 2.9.39 for connecting two company subsidiaries via ipsec. We're using a 10 Mbit/sec fiber line, but because of the transatlatic "jump" we have latencies around 170 ms.

The ipsec connection works, but now we would like to do a bandwidth test using the RouterOS provided services across the VPN network.

Independent of the direction, we on only get around max 2 Mbit/sec according to the test.

1) How to tune this?
2) What about this magic TCP window size things which need to be tuned?
3) In fact, using a directly connected OpenBSD box and iperf, we actually are able to transfer around 9 MB/sec over the link - but this needs a tcp windows size of around 200 kb.

Any expert around here knowning something about ipsec and high latency via RouterOS?

Thanks for any comments or help with this.

Achim

How were you performing the test?

Were the IPSec endpoints also the bandwidth test client/server, or were you testing 'thru' them ?

Was the OpenBSD hardware similiar to that of the Mikrotik hardware ?

We've ran the bandwidth testing up to a full gigabit in both directions, but depending on configuration and hardware that mileage may vary. Never done it with IPSec in between though.

>Were the IPSec endpoints also the bandwidth test client/server, or were you testing 'thru' them ?

Yes, the routerOS box (intel/3GHz) is doing the ipsec and i'm using the bandwith test tools on the same boxes.

>Was the OpenBSD hardware similiar to that of the Mikrotik hardware ?
Yes, exactely the same hardware.

>We've ran the bandwidth testing up to a full gigabit in both directions
Using which latency? The latency is important for the speed, isn't it?

Achim

Hi,

we're using RouterOS 2.9.39 for connecting two company subsidiaries via ipsec. We're using a 10 Mbit/sec fiber line, but because of the transatlatic "jump" we have latencies around 170 ms.

The ipsec connection works, but now we would like to do a bandwidth test using the RouterOS provided services across the VPN network.

Independent of the direction, we on only get around max 2 Mbit/sec according to the test.

1) How to tune this?
2) What about this magic TCP window size things which need to be tuned?
3) In fact, using a directly connected OpenBSD box and iperf, we actually are able to transfer around 9 MB/sec over the link - but this needs a tcp windows size of around 200 kb.

Any expert around here knowning something about ipsec and high latency via RouterOS?

Thanks for any comments or help with this.

Achim

routeros will use small windows and i'm not even sure if it permits using large windows or sack on routeros itself, although any host on either side may use them without problems.
For a 170 ms link you need to adjust tcp windows on each host as typically windows xp (which was released a long time ago) has window size tuned to 2mbit lines.
oh and stay away from DES or 3DES and stick to say .. AES for the ipsec tunnel itself. You might want to adjust tcp mss for less fragmentation (and thus better performance).
personally i'd use l2tp/ipip for the tunneling and stick to end-to-end ipsec and not tunnel mode for that ease of management and higher efficiency.

Thanks for the info.

personally i'd use l2tp/ipip for the tunneling and stick to end-to-end ipsec and not tunnel mode

But we need to connect the entire company networks. Does this work with l2tp/ipip also? The box is a 3 GHz system. So encryption speed should not be the limit.

For a 170 ms link you need to adjust tcp windows on each host

Yes, and if I use TCP services on RouterOS I need to tune the TCP window there. But see my post about "tcp window size" at http://forum.mikrotik.com/viewtopic.php?t=14100

Doing intercontinental work, it's quite common to have latencies > 150 ms. No good news to hear, that RouterOS does not support required features here, because we was thinking to replace all the OpenBSD based VPN and firewall systems with RouterOS boxes.

Any official comments?

Thanks,
Achim