RB2011 IPSec throughput

_saik0 · Sun Mar 15, 2015 12:43 am

Can anyone say what is the typical throughput with AES128 IPsec configuration for RB2011?

Currently i'm getting 100% CPU with NAT masquerade, 20-30 firewall rules, IPSec/L2TP VPN connection with about 20Mbps transfer.
I was expecting a bit more than that....

On the other end of the same VPN is a x86 ROS5.14 mikrotik with an old celeron 1333Mhz board and it's only at 20-30% CPU.

Fabian · Mon Mar 16, 2015 12:27 am

Does /ip ipsec statistics print show any notable counters ?

If your in-state-sequence-errors is high, i'm guessing a ROS issue. http://forum.mikrotik.com/viewtopic.php?f=2&t=94625

_saik0 · Mon Mar 16, 2015 11:48 pm

hm,

ipsec statistics doesn't seem to show any rapidly increasing counters.
I do have some static values tho:

> /ip ipsec statistics print
                  in-errors: 0
           in-buffer-errors: 0
           in-header-errors: 0
               in-no-states: 21399
   in-state-protocol-errors: 27
       in-state-mode-errors: 0
   in-state-sequence-errors: 73
           in-state-expired: 0
        in-state-mismatches: 0
           in-state-invalid: 1599
     in-template-mismatches: 5
             in-no-policies: 0
          in-policy-blocked: 0
           in-policy-errors: 0
                 out-errors: 0
          out-bundle-errors: 0
    out-bundle-check-errors: 0
              out-no-states: 13342
  out-state-protocol-errors: 1903
      out-state-mode-errors: 0
  out-state-sequence-errors: 0
          out-state-expired: 1903
         out-policy-blocked: 0
            out-policy-dead: 0
          out-policy-errors: 0

This is the cpu usage during a ~16-17Mbps transfer:

> tool profile duration=10s
NAME                    CPU        USAGE
l2tp                    all         3.5%
wireless                all           0%
spi                     all         3.5%
ethernet                all         7.5%
ntp                     all           0%
console                 all           1%
flash                   all           0%
dns                     all           0%
firewall                all        15.5%
networking              all          13%
ipsec                   all           0%
winbox                  all         0.5%
mpls                    all         0.5%
logging                 all           0%
management              all           3%
encrypting              all        32.5%
routing                 all           0%
idle                    all         8.5%
profiling               all           1%
queuing                 all           4%
telnet                  all           0%
bridging                all           1%
unclassified            all           5%

This is in comparison to same transfer with NAT only:

> tool profile duration=10s
NAME                    CPU        USAGE
l2tp                    all           0%
wireless                all         0.5%
spi                     all         3.5%
ethernet                all         2.5%
ntp                     all           0%
console                 all         0.5%
firewall                all         5.5%
networking              all           3%
winbox                  all         0.5%
mpls                    all           0%
management              all         5.5%
encrypting              all           0%
routing                 all           0%
idle                    all        69.5%
queuing                 all         3.5%
telnet                  all         0.5%
bridging                all           1%
unclassified            all           4%

Isn't firewall cpu usage too high? Or is the firewall process actually deencapsulates l2tp?
Also, there seems something is strange when transfer is performed through L2TP/IPSec VPN.
I'm seeing double packet rate on my first ip firewall filter rule

/ip firewall filter

add chain=input connection-state=established

add chain=input connection-state=related
add chain=input src-address=10.0.0.0/12
add chain=input protocol=ospf src-address=172.16.0.0/27
add chain=input protocol=icmp

add chain=input protocol=ipsec-esp

add chain=input protocol=ipsec-ah
add chain=input protocol=ipv6 src-address=216.66.80.98
add chain=input protocol=gre

add chain=input dst-port=1701 protocol=udp

add chain=input dst-port=4500 protocol=udp
add chain=input dst-port=500 protocol=udp
add action=reject chain=input comment="drop ssh brute forcers" dst-port=22 \
    protocol=tcp reject-with=tcp-reset src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=5d chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1m chain=input dst-port=22 protocol=tcp \
    src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp
add chain=input comment="accept ssh connections from anywhere" dst-port=22 \
    protocol=tcp
add chain=input comment="accept connections to http from anywhere" dst-port=\
    80 protocol=tcp
add chain=input comment="accept https connections from anywhere" dst-port=443 \
    protocol=tcp
add chain=input comment="accept winbox connections from anywhere" dst-port=\
    8291 protocol=tcp
add chain=input comment="accept SNMP/trap connections from anywhere" \
    dst-port=161,162 protocol=udp
add action=drop chain=input comment="default configuration" in-interface=\
    ether10-gateway
add action=drop chain=forward disabled=yes layer7-protocol=ebay-url \
    src-address-list=zh
add action=drop chain=forward disabled=yes layer7-protocol=facebook-url \
    src-address-list=zh
add chain=input comment="accept RADIUS auth from LAN" dst-port=1812,1813 \
    in-interface=bridge-local protocol=tcp

When I disable the first filter rule then packet rate is seen as actual rate but on both rules: ipsec-esp and udp port 1701.
I realize that due to ipsec and l2tp encapsulation traffic passes through input filter "twice" but should I actually see double packet rate? This doesn't change even if I explicitly set input interface for the first rule.

Any thoughts?

_saik0 · Thu Mar 19, 2015 9:56 pm

Anyone?

barkas · Fri Mar 20, 2015 9:39 am

Seems reasonable to me.

marrold · Fri Mar 20, 2015 11:38 am

I had similar performance on my RB2011 around 15-20Mb/s

_saik0 · Fri Mar 20, 2015 7:29 pm

Hm,

Was expecting a bit more :/

monster · Wed Mar 25, 2020 11:50 pm

Hi,
At the moment I get about 30 Mbps of AES128 tunnel on RB2011

Even with the all encrypted traffic sent to prerouting > notrack

[nawrocki@MikroTik] /ip firewall raw> print
Flags: X - disabled, I - invalid, D - dynamic
 0  D ;;; special dummy rule to show fasttrack counters
      chain=prerouting action=passthrough

 1    chain=prerouting action=notrack log=no log-prefix="" src-address=192.168.181.0/24 dst-address=10.10.10.0/24

 2    chain=prerouting action=notrack log=no log-prefix="" src-address=10.10.10.0/24 dst-address=192.168.181.0/24
[nawrocki@MikroTik] /ip firewall raw>

On the other side of the tunnel I have RB4011 which reaches about 1-2% CPU

At the moment I'm looking for some cheap Mikrotik Router which will handle 100Mbps on AES128.
Any Suggestions?
hAP ac2?

RB2011 IPSec throughput

RB2011 IPSec throughput

Re: RB2011 IPSec throughput

Re: RB2011 IPSec throughput

Re: RB2011 IPSec throughput

AW: RB2011 IPSec throughput

Re: RB2011 IPSec throughput

Re: RB2011 IPSec throughput

Re: RB2011 IPSec throughput