Community discussions

MikroTik App

Search found 16 matches

by Lemahasta
Wed Dec 30, 2020 6:39 pm
Forum: Announcements
Topic: v6.48 [stable] is released!
Replies: 265
Views: 45960

Re: v6.48 [stable] is released!

After upgrade from 6.47.8 IPSEC-IKEV2 from windows 10 client -> mikrotik CCR 1009 using eap-radius stopped working. After downgrade everything works fine again. RADIUS sends access-accept, windows client tries connecting for some time than just times out. No errors in mikrotik. Just doesn't work. D...
by Lemahasta
Sat Dec 26, 2020 7:23 pm
Forum: Announcements
Topic: v6.48 [stable] is released!
Replies: 265
Views: 45960

Re: v6.48 [stable] is released!

After upgrade from 6.47.8 IPSEC-IKEV2 from windows 10 client -> mikrotik CCR 1009 using eap-radius stopped working. After downgrade everything works fine again. RADIUS sends access-accept, windows client tries connecting for some time than just times out. No errors in mikrotik. Just doesn't work. Do...
by Lemahasta
Thu Jun 04, 2020 11:40 am
Forum: General
Topic: CCR 1009 - IPSEC throughput
Replies: 16
Views: 3230

Re: CCR 1009 - IPSEC throughput

I had chance to do some more comparisons and tests and it seems that it's specific Tile issue. With 2 rb4011 (arm32) with same config I had consistent throughput with parallel streams in the 550 Mb/s range with GRE over IPSEC. Replacing one rb4011 with ccr 1009, same config - one side dropped to 300...
by Lemahasta
Mon May 25, 2020 9:28 pm
Forum: General
Topic: CCR 1009 - IPSEC throughput
Replies: 16
Views: 3230

Re: CCR 1009 - IPSEC throughput

I asked around some people and also at reddit (I copy/pasted now text below), yet still I didn't found the reason for this behaviour. I made today another test (I got my hands on new rb4011). I took one CCR1009 and RB4011 - reset config (no default) - both upgraded to latest stable (6.46.6) and firm...
by Lemahasta
Sun May 24, 2020 3:54 pm
Forum: General
Topic: CCR 1009 - IPSEC throughput
Replies: 16
Views: 3230

Re: CCR 1009 - IPSEC throughput

After some searching I found this topic on these forums, which explains a bit more how IPSEC should be handled by the CCR with - probably - some sort of ip/port src-dst based on peer. https://forum.mikrotik.com/viewtopic.php?t=140855 This would certainly explain why from side B to side A in my tests...
by Lemahasta
Thu May 21, 2020 9:17 pm
Forum: General
Topic: CCR 1009 - IPSEC throughput
Replies: 16
Views: 3230

Re: CCR 1009 - IPSEC throughput

I tried different variants: IPIP with IPSEC GRE with IPSEC EOIP with IPSEC pure IPSEC and in every case I have very similar results (only difference being "max single connection throughput" but that's not an issue right here). without IPSEC I'm getting paralel streams spread across cores i...
by Lemahasta
Thu May 21, 2020 7:11 pm
Forum: General
Topic: CCR 1009 - IPSEC throughput
Replies: 16
Views: 3230

Re: CCR 1009 - IPSEC throughput

My issue - that I realised after my initial post - is that from one side of the tunel number of connections doesn't matter - it's capped up to a single stream. I've done some more tests and I still have no idea why and what is the actual expected behaviour. As I said, both sides of the tunel are equ...
by Lemahasta
Thu May 21, 2020 1:04 am
Forum: General
Topic: CCR 1009 - IPSEC throughput
Replies: 16
Views: 3230

Re: CCR 1009 - IPSEC throughput

I've done some more testing/firewall tweaking and I've got some better results but also stumbled upon issue - which someone might maybe sched some light on? 1) I managed to reach up to 350 Mb/s in "pure" IPSEC (tunnel mode, no tunneling protocols like IPIP/EOIP) in single TCP stream (both ...
by Lemahasta
Wed May 20, 2020 10:07 am
Forum: General
Topic: CCR 1009 - IPSEC throughput
Replies: 16
Views: 3230

Re: CCR 1009 - IPSEC throughput

I knew that for single tunnel only 1 core will be used, what I don't fully understand is that why my "numbers" differ so much from the datasheet for single tunnel and why my CPU won't even max out. If I run "just" IPIP tunnel (no IPSEC encryption on top of it) i can push using ip...
by Lemahasta
Tue May 19, 2020 10:35 am
Forum: General
Topic: CCR 1009 - IPSEC throughput
Replies: 16
Views: 3230

Re: CCR 1009 - IPSEC throughput

My tests are also through the router and can't achieve so far anything above 220-ish Mb/s. For single connection (one client PC using tunnel for iperf and or file transfers from server behind other tunnel end) I see 2 cores being used at they're being used at around 70-80% max. I've been doing tests...
by Lemahasta
Mon May 18, 2020 11:55 am
Forum: General
Topic: CCR 1009 - IPSEC throughput
Replies: 16
Views: 3230

CCR 1009 - IPSEC throughput

Hello, [at the bottom is the TL,DR...] I'm trying to figure out what I might be doing wrong with my IPSEC setup, as I get much lower throughput than "advertised" and uplink is capable. scenario 1) For test purposes I have: left side: file server / iperf3 server -> mikrotik ccr 1009-7g-1s-1...
by Lemahasta
Mon Jul 09, 2018 2:49 pm
Forum: General
Topic: Ikev2 + eap radius
Replies: 9
Views: 5393

Re: Ikev2 + eap radius

I did check again, if after any of the updates somehow magically it will start working, but no. ROS 6.42.3, latest freeradius (3.0.17) and windows 10 (1803) client, everything looks the same. IKEV2 with eap-only, using certificate signed by another self-signed (untrusted) CA. CA is added to windows ...
by Lemahasta
Mon Jul 09, 2018 8:58 am
Forum: General
Topic: mikrotik SSTP vpn + freeradius = "It was not possible to verify the identity of the server"
Replies: 2
Views: 817

Re: mikrotik SSTP vpn + freeradius = "It was not possible to verify the identity of the server"

Hello, I'm sorry to say that I did not. I was hoping that someone might have some answer here on the boards :). I've tried again after going up to win 10 1803 and with most recent freeradius/MT versions but everything seems the same. I'll try again with windows 7 client, when I get a hold on one, to...
by Lemahasta
Thu Apr 05, 2018 10:25 am
Forum: General
Topic: mikrotik SSTP vpn + freeradius = "It was not possible to verify the identity of the server"
Replies: 2
Views: 817

mikrotik SSTP vpn + freeradius = "It was not possible to verify the identity of the server"

Hello, I'm having issues with SSTP on mikrotik (version 6.41.3, CCR 1009) with freeradius 3.0.14 as backend.I'm testing with windows 10 client. SSTP with "local" users works just fine, i'm using certificate signed by well-trusted CA (geotrust), no issues there. Issues arise when I try to a...
by Lemahasta
Mon Jun 05, 2017 1:40 pm
Forum: General
Topic: Ikev2 + eap radius
Replies: 9
Views: 5393

Re: Ikev2 + eap radius

Right now I'm using 6.39 (stable) and eap-radius for ikev2 still doesn't seem to work. For sstp it works without any issues. For IKEV2 RADIUS server receives request, sents "acceps-accept", which Mikrotik receives (in MT log I clearly see "received access-accept" with all relevan...
by Lemahasta
Tue Feb 21, 2017 10:26 pm
Forum: General
Topic: Ikev2 + eap radius
Replies: 9
Views: 5393

Ikev2 + eap radius

I did manage to get ikev2 with rsa signature running, but I'd much rather go for the eap radius authentication. I've been trying to make it work, but I can't seem to do it. I'm tryng to connect using android with strongswan client. Using "certificate" works OK, but when I change to "e...