Page 1 of 1
Can't get over 130Mbits on Two RB1000 using IPSEC
Posted: Thu Mar 26, 2009 4:45 pm
by wkstill
So, After testing, and more testing, and more testing, the MAX speed I could get over ipsec was 125Mbps...
Since Version 3.20 they state the RB1000 can now do "500Mbps" using IPSEC ..
I would like to see the samples used for this test.. becuase I can't get it..
Test Procedure:
Tools Used:
(2) IBM T61 Think Pads w/gigabit Ethernet Ports
(2) Two Foot Cat 6 Network Patch Cables
(1) One Foot Cat 6 Network Patch Cables
(2) RB1000 Brand New Out of the Box.
TCP Optimizer set to Max Connection Size.
iperf using the "tcp" test of -P 30 -t 60 (other then the standard -s/-c for client/server)
Tested Between Laptops averaged ~ 600Mbps
Since, "Multiple" Policies can't use the same peer bug, I resorting to setting up a "Standard" L2TP Client/Server Tunnel, with no-encryption/compression.
Tested Between RB1000 avaeraged ~ 450Mbps
Now, I setup a "IPSEC" Tunnel between the two RB1000 using sha1 - 3des , policy is for the public ip of each rb1000.. (so, Basically, any traffic between the two rb1000's are encrypted using IPsec..
Result: Speed Drops to 125Mbps..
Re: Can't get over 130Mbits on Two RB1000 using IPSEC
Posted: Thu Mar 26, 2009 5:01 pm
by wkstill
ok, did same "test" without using the L2TP Tunnel, (bascillay uses the IPSEC Tunnel by itself) using the build in "Bandwith Test", max Send/Receive is 146Mbps.
UDP on the other hand aveages 350Mbps TX, 350Mbps..
ipsec "export"
[admin@OnSite] /ip ipsec> export
# jan/01/1970 17:15:22 by RouterOS 3.22
# software id = MEIS-PTT
#
/ip ipsec proposal
set default auth-algorithms=sha1 disabled=no enc-algorithms=3des lifetime=30m name=default pfs-group=modp1024
/ip ipsec peer
add address=66.xxx.xxx.73/32:500 auth-method=pre-shared-key dh-group=modp1024 disabled=no dpd-interval=disable-dpd \
dpd-maximum-failures=1 enc-algorithm=3des exchange-mode=aggressive generate-policy=yes hash-algorithm=sha1 lifebytes=0 \
lifetime=1d nat-traversal=no proposal-check=obey secret=********** send-initial-contact=yes
/ip ipsec policy
add action=encrypt disabled=no dst-address=66.xxx.xxx.73/32:any ipsec-protocols=esp level=require priority=0 proposal=\
default protocol=all sa-dst-address=66.xxxx.xxx.73 sa-src-address=66.xxx.xxx.72 src-address=66.xxx.xxx.72/32:any tunnel=\
no
[admin@OffSite] /ip ipsec> export
# jan/01/1970 22:57:30 by RouterOS 3.22
# software id = REIS-PTT
#
/ip ipsec proposal
set default auth-algorithms=sha1 disabled=no enc-algorithms=3des lifetime=30m name=default pfs-group=modp1024
/ip ipsec peer
add address=66.xxx.xxx.72/32:500 auth-method=pre-shared-key dh-group=modp1024 disabled=no dpd-interval=disable-dpd \
dpd-maximum-failures=1 enc-algorithm=3des exchange-mode=aggressive generate-policy=yes hash-algorithm=sha1 lifebytes=0 lifetime=1d \
nat-traversal=no proposal-check=obey secret=********** send-initial-contact=yes
/ip ipsec policy
add action=encrypt disabled=no dst-address=66.xxx.xxx.72/32:any ipsec-protocols=esp level=require priority=0 proposal=default \
protocol=all sa-dst-address=66.xxx.xxx.72 sa-src-address=66.xxx.xxx.73 src-address=66.xxx.xxx.73/32:any tunnel=no
Re: Can't get over 130Mbits on Two RB1000 using IPSEC
Posted: Thu Mar 26, 2009 5:18 pm
by msundman
I've also been running a lot of tests on this and got similar results.
I was able to push about 160 Mbps using iperf with default settings between two linux boxes over two RB1000 connected back to back with a standard IPSec tunnelmode tunnel AES-128/SHA1.
I emailed the support and asked about this if I had todo anything special to enable hardware encryption but the answer was no. So I still wonder why I'm not able to push more traffic.
If I understood they correctly they are using Agilent test equipment to send UDP traffic, which diffrers from iperf which defaults to TCP. I've not had time todo any more tests using UDP, but I will.
What surprises me most though is that I was able to push about 105 Mbps using ROS 3.19 which is not supposted to support hardware encryption. My increase from 105 -> 160 is percentually much lower that the increase they mention in the CHANGELOG. I was at lease expecting an increase in about the same procentage as they saw.
Using an IPIP over transport mode IPsec tunnel lowered the result to about 120 Mbps (on ROS 3.22).
Re: Can't get over 130Mbits on Two RB1000 using IPSEC
Posted: Thu Mar 26, 2009 5:29 pm
by wkstill
well, i am kinda upset over this.. The fact they SAY it will do it, but it doesn't is kinda misleading..
Last I checked, Agilent Test Equipment can't measure squat, I had a Circuit that would test "fine" but it turns out, would perform worth a beans, the provider then stopped using there Agilent Test Equipent and uses "Dedicated" Testing Laptops using off the shelf "Testing" Software..
Re: Can't get over 130Mbits on Two RB1000 using IPSEC
Posted: Fri Apr 10, 2009 12:15 am
by wkstill
anybody have any ideas?
Re: Can't get over 130Mbits on Two RB1000 using IPSEC
Posted: Fri Apr 17, 2009 10:52 am
by normis
we tested like this:
TEST PC ---> RB1000 ~~~~ IPSEC ~~~~~RB1000 ---> TEST PC2
you only have one RB1000 so there is a lot of unknowns in your test conditions
Re: Can't get over 130Mbits on Two RB1000 using IPSEC
Posted: Tue Apr 21, 2009 12:24 am
by wkstill
I used two new IBM ThinkPad T61's, and two NEW RB1000's, and used iperf in TCP and UDP modes.. Never got over 150mbits, turning off ipsec, and it shot up to 500mbits..
Re: Can't get over 130Mbits on Two RB1000 using IPSEC
Posted: Tue Apr 21, 2009 9:19 am
by normis
where is your IPsec connected to, if there is only one RB in the middle?
Re: Can't get over 130Mbits on Two RB1000 using IPSEC
Posted: Tue Apr 21, 2009 2:28 pm
by msundman
Who has said there were only one RB?
Both me and wkstill has said that we used two RB1000s connected back-to-back when we did our tests.
Br // Mathias
Re: Can't get over 130Mbits on Two RB1000 using IPSEC
Posted: Tue Apr 21, 2009 3:05 pm
by normis
we also did the same tests, so something must be different. please contact support with more details of your config.
Re: Can't get over 130Mbits on Two RB1000 using IPSEC
Posted: Tue Apr 21, 2009 10:45 pm
by wkstill
I completly redid the tests.
udp test, no ipsec, using jperf
bin/iperf.exe -c 10.0.0.10 -u -P 1 -i 1 -p 5001 -l 32K -f k -b 200M -t 10 -T 1
------------------------------------------------------------
Client connecting to 10.0.0.10, UDP port 5001
Sending 32768 byte datagrams
UDP buffer size: 8.00 KByte (default)
------------------------------------------------------------
[1912] local 10.0.0.1 port 2059 connected with 10.0.0.10 port 5001
[ ID] Interval Transfer Bandwidth
[1912] 0.0- 1.0 sec 24448 KBytes 200278 Kbits/sec
[1912] 1.0- 2.0 sec 24416 KBytes 200016 Kbits/sec
[1912] 2.0- 3.0 sec 24448 KBytes 200278 Kbits/sec
[1912] 3.0- 4.0 sec 24416 KBytes 200016 Kbits/sec
[1912] 4.0- 5.0 sec 24416 KBytes 200016 Kbits/sec
[1912] 5.0- 6.0 sec 24448 KBytes 200278 Kbits/sec
[1912] 6.0- 7.0 sec 24416 KBytes 200016 Kbits/sec
[1912] 7.0- 8.0 sec 24416 KBytes 200016 Kbits/sec
[1912] 8.0- 9.0 sec 24448 KBytes 200278 Kbits/sec
[1912] 9.0-10.0 sec 24416 KBytes 200016 Kbits/sec
[1912] 0.0-10.0 sec 244320 KBytes 199835 Kbits/sec
[1912] Server Report:
[1912] 0.0-10.0 sec 207872 KBytes 170555 Kbits/sec 3.319 ms 1139/ 7635 (15%)
[1912] Sent 7635 datagrams
Done.
Same test, with IPSEC on.
bin/iperf.exe -c 10.0.0.10 -u -P 1 -i 1 -p 5001 -l 32K -f k -b 200M -t 10 -T 1
------------------------------------------------------------
Client connecting to 10.0.0.10, UDP port 5001
Sending 32768 byte datagrams
UDP buffer size: 8.00 KByte (default)
------------------------------------------------------------
[1912] local 10.0.0.1 port 2099 connected with 10.0.0.10 port 5001
[ ID] Interval Transfer Bandwidth
[1912] 0.0- 1.0 sec 24448 KBytes 200278 Kbits/sec
[1912] 1.0- 2.0 sec 23712 KBytes 194249 Kbits/sec
[1912] 2.0- 3.0 sec 24096 KBytes 197394 Kbits/sec
[1912] 3.0- 4.0 sec 24416 KBytes 200016 Kbits/sec
[1912] 4.0- 5.0 sec 24096 KBytes 197394 Kbits/sec
[1912] 5.0- 6.0 sec 24064 KBytes 197132 Kbits/sec
[1912] 6.0- 7.0 sec 24064 KBytes 197132 Kbits/sec
[1912] 7.0- 8.0 sec 23744 KBytes 194511 Kbits/sec
[1912] 8.0- 9.0 sec 24064 KBytes 197132 Kbits/sec
[1912] 9.0-10.0 sec 23744 KBytes 194511 Kbits/sec
[1912] 0.0-10.0 sec 240480 KBytes 196694 Kbits/sec
[1912] Server Report:
[1912] 0.0-10.0 sec 239808 KBytes 196451 Kbits/sec 0.000 ms 21/ 7515 (0.28%)
[1912] 0.0-10.0 sec 1028 datagrams received out-of-order
[1912] Sent 7515 datagrams
Done.
Note the amount of "out-of-order" udp datagrams, this amount of out-of-order datagrams is bad... no matter how you slice it.
Here are the same tests with TCP....
Single TCP Stream for 10 seconds.
One TCP Stream, 10 Seconds
bin/iperf.exe -c 10.0.0.10 -P 1 -i 1 -p 5001 -f k -t 10
------------------------------------------------------------
Client connecting to 10.0.0.10, TCP port 5001
TCP window size: 8.00 KByte (default)
------------------------------------------------------------
[1912] local 10.0.0.1 port 2047 connected with 10.0.0.10 port 5001
[ ID] Interval Transfer Bandwidth
[1912] 0.0- 1.0 sec 22128 KBytes 181273 Kbits/sec
[1912] 1.0- 2.0 sec 21736 KBytes 178061 Kbits/sec
[1912] 2.0- 3.0 sec 15808 KBytes 129499 Kbits/sec
[1912] 3.0- 4.0 sec 25688 KBytes 210436 Kbits/sec
[1912] 4.0- 5.0 sec 27792 KBytes 227672 Kbits/sec
[1912] 5.0- 6.0 sec 30928 KBytes 253362 Kbits/sec
[1912] 6.0- 7.0 sec 31248 KBytes 255984 Kbits/sec
[1912] 7.0- 8.0 sec 22336 KBytes 182977 Kbits/sec
[1912] 8.0- 9.0 sec 30704 KBytes 251527 Kbits/sec
[1912] 9.0-10.0 sec 29528 KBytes 241893 Kbits/sec
[1912] 0.0-10.0 sec 257904 KBytes 210945 Kbits/sec
Done.
as you can see, about 200mbit, I also was able to get 400mbit reliably full duplex with 5 tcp treams.
Same TCP Test with IPSEC enabled.
bin/iperf.exe -c 10.0.0.10 -P 1 -i 1 -p 5001 -f k -t 10
------------------------------------------------------------
Client connecting to 10.0.0.10, TCP port 5001
TCP window size: 8.00 KByte (default)
------------------------------------------------------------
[1912] local 10.0.0.1 port 2084 connected with 10.0.0.10 port 5001
[ ID] Interval Transfer Bandwidth
[1912] 0.0- 1.0 sec 8944 KBytes 73269 Kbits/sec
[1912] 1.0- 2.0 sec 6400 KBytes 52429 Kbits/sec
[1912] 2.0- 3.0 sec 7128 KBytes 58393 Kbits/sec
[1912] 3.0- 4.0 sec 6920 KBytes 56689 Kbits/sec
[1912] 4.0- 5.0 sec 6664 KBytes 54591 Kbits/sec
[1912] 5.0- 6.0 sec 7504 KBytes 61473 Kbits/sec
[1912] 6.0- 7.0 sec 6392 KBytes 52363 Kbits/sec
[1912] 7.0- 8.0 sec 6632 KBytes 54329 Kbits/sec
[1912] 8.0- 9.0 sec 6768 KBytes 55443 Kbits/sec
[1912] 9.0-10.0 sec 7312 KBytes 59900 Kbits/sec
[1912] 0.0-10.0 sec 70672 KBytes 57804 Kbits/sec
Done.
config stuff..
/ip address
add address=10.0.0.2/30 broadcast=10.0.0.3 comment="" disabled=no interface=\
ether1 network=10.0.0.0
add address=10.0.0.5/30 broadcast=10.0.0.7 comment="" disabled=no interface=\
ether2 network=10.0.0.4
/ip ipsec proposal
set default auth-algorithms=md5 disabled=no enc-algorithms=3des lifetime=30m \
name=default pfs-group=modp1024
/ip ipsec peer
add address=10.0.0.6/32:500 auth-method=pre-shared-key dh-group=modp1024 \
disabled=no dpd-interval=disable-dpd dpd-maximum-failures=1 \
enc-algorithm=3des exchange-mode=main generate-policy=no hash-algorithm=\
md5 lifebytes=0 lifetime=1d nat-traversal=no proposal-check=obey secret=\
"pre-shared key" send-initial-contact=yes
/ip ipsec policy
add action=encrypt disabled=no dst-address=10.0.0.8/30:any ipsec-protocols=\
ah,esp level=require priority=0 proposal=default protocol=all \
sa-dst-address=10.0.0.6 sa-src-address=10.0.0.5 src-address=\
10.0.0.0/30:any tunnel=yes
/ip address
add address=10.0.0.6/30 broadcast=10.0.0.7 comment="" disabled=no interface=\
ether2 network=10.0.0.4
add address=10.0.0.9/30 broadcast=10.0.0.11 comment="" disabled=no interface=\
ether1 network=10.0.0.8
/ip ipsec proposal
set default auth-algorithms=md5 disabled=no enc-algorithms=3des lifetime=30m \
name=default pfs-group=modp1024
/ip ipsec peer
add address=10.0.0.5/32:500 auth-method=pre-shared-key dh-group=modp1024 \
disabled=no dpd-interval=disable-dpd dpd-maximum-failures=1 \
enc-algorithm=3des exchange-mode=main generate-policy=no hash-algorithm=\
md5 lifebytes=0 lifetime=1d nat-traversal=no proposal-check=obey secret=\
"pre-shared key" send-initial-contact=no
/ip ipsec policy
add action=encrypt disabled=no dst-address=10.0.0.0/30:any ipsec-protocols=\
ah,esp level=require priority=0 proposal=default protocol=all \
sa-dst-address=10.0.0.5 sa-src-address=10.0.0.6 src-address=\
10.0.0.8/30:any tunnel=yes
all this + more has been sent to support.
Re: Can't get over 130Mbits on Two RB1000 using IPSEC
Posted: Fri Apr 24, 2009 6:11 pm
by wkstill
I have given up..
Now they say they are using 4 routerboards to do the test..
I am not going to go buy 2 more rb1000's..
Last Response:
Hello,
R3----R1---[ipsec]--R2-----R4
R1 and R2 are RB1000 running ipsec
R3 and R4 are mikrotik routers
Configuration I used, and was unable to get 300MBps 1500byte packets UDP bandwidth test running from R3 to R4 without any problems.
When we did initial tests, we used expensive hardware (Agilent) instead of R3 and R4 routers, which can generate any traffic we specify and give out very precise information.
Router1 config
[admin@MikroTik] /ip ipsec> export
/ip ipsec proposal
set default auth-algorithms=sha1 disabled=no enc-algorithms=3des lifetime=30m name=default pfs-group=modp1024 /ip ipsec peer add address=4.5.4.2/32:500 auth-method=pre-shared-key dh-group=modp1024 disabled=no dpd-interval=disable-dpd dpd-maximum-failures=5 \
enc-algorithm=3des exchange-mode=main generate-policy=no
hash-algorithm=md5 lifebytes=0 lifetime=1d nat-traversal=no proposal-check=obey \
secret=123 send-initial-contact=yes
/ip ipsec policy
add action=encrypt disabled=no dst-address=9.9.9.0/24:any ipsec-protocols=esp level=require manual-sa=none priority=0 proposal=default protocol=\
all sa-dst-address=4.5.4.2 sa-src-address=4.5.4.1 src-address=10.1.101.0/24:any tunnel=yes
Router2 config
/ip ipsec proposal
set default auth-algorithms=sha1 disabled=no enc-algorithms=3des lifetime=30m name=default pfs-group=modp1024 /ip ipsec peer add address=4.5.4.1/32:500 auth-method=pre-shared-key dh-group=modp1024 disabled=no dpd-interval=disable-dpd dpd-maximum-failures=5 \
enc-algorithm=3des exchange-mode=main generate-policy=no
hash-algorithm=md5 lifebytes=0 lifetime=1d nat-traversal=no proposal-check=obey \
secret=123 send-initial-contact=yes
/ip ipsec policy
add action=encrypt disabled=no dst-address=10.1.101.0/24:any ipsec-protocols=esp level=require manual-sa=none priority=0 proposal=default protocol=\
all sa-dst-address=4.5.4.1 sa-src-address=4.5.4.2 src-address=9.9.9.0/24:any tunnel=yes
Regards,
Maris
I even tried the "btest" software on there website, same epic failure.
Re: Can't get over 130Mbits on Two RB1000 using IPSEC
Posted: Thu Apr 30, 2009 6:17 pm
by wkstill
after finally re-configuring everything, i am happy to say, in lamens terms, I can get a stable 60Mbit Symetrical TCP Connection between to RB1000's with a temporary Hardwired 100Mbit EtherNet Link.