Community discussions

MikroTik App
  4. RouterOS
  5. General

IPSec slow

Post Reply
 
afuente26
just joined
Topic Author
Posts: 22
Joined: Mon Jan 28, 2019 12:24 pm

IPSec slow

Sat Sep 09, 2023 12:31 am

Hello,

i use a pure ipsec tunnel without l2tp to link to sites.

The setup is esasy and the link is established. Of course, I´ve disabled the forwarding,

I can reach the LAN from one site to the other. But the speed is only about 3Mbps, not more

The hardware is a RB1100 and an RB4011.

After a lot of hours trying and reading, I want to ask for help...

Somebody who could help me?

Thanks
Angel
Top
 
johnson73
Member Candidate
Member Candidate
Posts: 233
Joined: Wed Feb 05, 2020 10:07 am

Re: IPSec slow

Sun Sep 10, 2023 11:40 am

I have a similar problem with the mikrotik CCR1009(vers. 7.11, road warrior connection). When switching to the 7.x version, iPsec L2tp remained slow. There were no such problems with the 6.x versions.
In the office, the connection is 1gb/s, but at home 600Mbps. L2tp ipsec data transfer speed is not higher than 10-12Mbit/s. Download/upload without using L2tp ipsec vpn works fine, with full line speed.
Configuration for the router only "default rules" plus 2 L2tp rules against download/file.php?id=48815 (port 500,1701,4500)

Where to look for the problem? Software bug?
Top
 
sas2k
Member Candidate
Member Candidate
Posts: 102
Joined: Tue Jan 18, 2022 8:17 am

Re: IPSec slow

Sun Sep 10, 2023 9:14 pm

But the speed is only about 3Mbps, not more

The hardware is a RB1100 and an RB4011.
4011 is extremely powerful, 1100 is not.
I mean old 1100.
Ax4 is powerful as well.
https://mikrotik.com/product/rb1100ahx4 ... estresults
Ipsec requires strong cpu.

You should select ciphers appropriate for your cpu.
Go to routerboard specs page, performance.
E.g. 4011 supports many hardware acceleration ciphers for ipsec.
I use 4011 with following:
Ip-ipsec-proposals
There default proposal.
Auth algorithm : sha1
Encr alg: aes-128-cbc

Ip-ipsec-profiles
There default profile
Hash alg: sha1
Prf: auto
Encr alg: aes-128
Dh group: modp1024

This corresponds to top ipsec speed ad the perf page of 4011:
https://mikrotik.com/product/rb4011igs_ ... estresults

Of course both peers should communicate via same cifers, both should have hw acceleration.

1100 if it is not an ax4 should go to trade in :)

Another big thing is mtu.
I use 1400, as it corresponds the top speed at the pert page.

My 4011 speed 200 mbit ipsec upload and download just because it is ISP speed.
Same ipsec setup for rb760igs: speed is approx 100 mbit ...
Top
 
User avatar
Larsa
Forum Guru
Forum Guru
Posts: 1611
Joined: Sat Aug 29, 2015 7:40 pm
Location: The North Pole, Santa's Workshop

Re: IPSec slow

Sun Sep 10, 2023 10:28 pm

Please check the product page for CPU model and IPSec performance specs. Then check the IPsec specs to determine which encryption method should be used at both ends in order to optimize hardware acceleration.
Top
Post Reply

Who is online

Users browsing this forum: networkfudge and 76 guests
  4. RouterOS
  5. General