Community discussions

 
Larsa
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 61
Joined: Sat Aug 29, 2015 7:40 pm
Reputation: 0

CCR1009/RB3011, recommended settings for best VPN performance?

Fri Feb 17, 2017 4:12 pm

Can anyone please recommend the best possible vpn procol type and encyption algorithm that possibly can utilize hardware acceleration on CCR1009 <=> RB3011 (Ros 6.37.4) to obtain maximum VPN performance. They are hooked up with SFP to a 500 Mbit fiber line...

Thanks in advance!
 
haplessuser
just joined
Posts: 19
Joined: Tue Sep 27, 2016 10:06 pm
Reputation: 0

Re: CCR1009/RB3011, recommended settings for best VPN performance?

Fri Feb 17, 2017 9:25 pm

I assume you mean a site-to-site VPN. IPsec is actually pretty light as far as VPN tech goes, but your limiting factor will be your link between the two routers compounded by your underlying encryption. Heavy encryption = more security = slower speeds. So the fastest? Don't encrypt. But you'll have to determine if this is feasible with your environment.
 
Larsa
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 61
Joined: Sat Aug 29, 2015 7:40 pm
Reputation: 0

Re: CCR1009/RB3011, recommended settings for best VPN performance?

Fri Feb 17, 2017 10:15 pm

Well, of course we want to have encryption. ;-) But what I was wondering about is what type of encryption algorithm (e.g. DES, AES, etc) that would be most efficient in terms of hardware acceleration in order to get the highest possible speed without to much load on the main processor on a RB3100 connected to a CCR1009.

According to the Qualcomm specs, the IPQ8064 has support for IPSec hardware encryption but I can't find any info regarding the RB3011 on the product pages or wiki...
 
nathan1
newbie
Posts: 49
Joined: Sat Jan 16, 2016 8:05 pm
Reputation: 3

Re: CCR1009/RB3011, recommended settings for best VPN performance?

Fri Feb 17, 2017 11:37 pm

Larsa wrote:
Well, of course we want to have encryption. ;-) But what I was wondering about is what type of encryption algorithm (e.g. DES, AES, etc) that would be most efficient in terms of hardware acceleration in order to get the highest possible speed without to much load on the main processor on a RB3100 connected to a CCR1009.

According to the Qualcomm specs, the IPQ8064 has support for IPSec hardware encryption but I can't find any info regarding the RB3011 on the product pages or wiki...


See this thread: viewtopic.php?f=1&t=112545
 
haplessuser
just joined
Posts: 19
Joined: Tue Sep 27, 2016 10:06 pm
Reputation: 0

Re: CCR1009/RB3011, recommended settings for best VPN performance?

Sat Feb 18, 2017 12:00 am

Larsa wrote:
Well, of course we want to have encryption. ;-) But what I was wondering about is what type of encryption algorithm (e.g. DES, AES, etc) that would be most efficient in terms of hardware acceleration in order to get the highest possible speed without to much load on the main processor on a RB3100 connected to a CCR1009.

According to the Qualcomm specs, the IPQ8064 has support for IPSec hardware encryption but I can't find any info regarding the RB3011 on the product pages or wiki...


That's easier then. Use AES over DES. 3DES is notoriously slow in software, and it's unlikely to be optimized in hardware.

As far as 3011 support, it does not seem to be in the firmware suite yet, despite being a capability on the chip:
http://wiki.mikrotik.com/wiki/Manual:IP ... encryption

According to that link above, only the following have encryption hardware offload capabilities, and then only for AES:
hEX v3 (RB750Gr3 model only)
All Cloud Coure Router series devices
RB1100AHx2
RB1000
RB850Gx2 (only starting 2016, serial numbers that begin with number 5)
 
Larsa
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 61
Joined: Sat Aug 29, 2015 7:40 pm
Reputation: 0

Re: CCR1009/RB3011, recommended settings for best VPN performance?

Sat Feb 18, 2017 12:01 am

nathan1 wrote:

So if I understand it correctly, by using HW acceleration on a CCR you may instead encounter a reorder problem? Yay! :-) Unfortunately I didn't find anything on the RB3011...
 
nathan1
newbie
Posts: 49
Joined: Sat Jan 16, 2016 8:05 pm
Reputation: 3

Re: CCR1009/RB3011, recommended settings for best VPN performance?

Sat Feb 18, 2017 12:25 am

Larsa wrote:
nathan1 wrote:

So if I understand it correctly, by using HW acceleration on a CCR you may instead encounter a reorder problem? Yay! :-) Unfortunately I didn't find anything on the RB3011...

I don't think the RB3011 supports hardware acceleration but you will need to pick encryption mentioned in that thread for the CCR to prevent the re-ordering problem. The CCR tops out around 250Mbit with the software encryption. I'm not familiar with the RB3011 but it may be that is plenty to keep up with it.
 
Larsa
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 61
Joined: Sat Aug 29, 2015 7:40 pm
Reputation: 0

Re: CCR1009/RB3011, recommended settings for best VPN performance?

Sat Feb 18, 2017 3:58 pm

haplessuser wrote:
Larsa wrote:
That's easier then. Use AES over DES. 3DES is notoriously slow in software, and it's unlikely to be optimized in hardware.

As far as 3011 support, it does not seem to be in the firmware suite yet, despite being a capability on the chip:
http://wiki.mikrotik.com/wiki/Manual:IP ... encryption

@Haplessuser, thanks for the suggestion!

Looks like AES128 might be a good choice since the RB3100 currently can't utilize the hardware accelerator. But it remains to see if it can cope with "soft" IPSec at sufficient speed.

I must say I'm a bit surprised they didn't implement the hw accelerator. But it's totally my own fault I didn't properly investigate the facts, nor did I care to check with sales before we bought a bunch RB3100. The only thing I bothered to do was checking the hardware specs for IPQ8064! There is a lesson there, right? :(

Who is online

Users browsing this forum: jerryd and 26 guests