Azure S2S VPN Poor performance

RouterOS General
1

Hi,

I’m just testing the following scenario:
IPSEC site to site VPN Mikrotik to Azure
RB951G-2HnD firmware 3.41 ROS 6.40.8 in the onpremises side
VpnGw1 in the Azure side

When I copy a file from an onpremises Windows to other Windows in the cloud the router’s CPU goes to 100% and the throughput is about 28Mb/s.

Any idea why I’m getting such as ridiculous throughput?

PS: The configuration in the onpremises side is thisone:
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-128-cbc lifetime=7h30m pfs-group=none
/ip firewall
nat add action=accept chain=srcnat dst-address=172.16.0.0/23 src-address=192.168.100.0/24 place-before=0 comment=AzureNAT
/ip firewall raw
add action=notrack chain=prerouting src-address=172.16.0.0/23 dst-address=192.168.100.0/24
add action=notrack chain=prerouting src-address=192.168.100.0/24 dst-address=172.16.0.0/23
/ip ipsec peer
add address=/32 dh-group=modp1024 enc-algorithm=aes-256,aes-128 exchange-mode=ike2 secret= lifetime=8h
/ip ipsec policy
set 0 disabled=yes
add dst-address=172.16.0.0/23 sa-dst-address=****** sa-src-address=******** src-address=192.168.100.0/24 tunnel=yes

Regards.

2

You have avoided the common mistake of fasttracking packets which have to be handled by IPsec policy.
But the software encryption is a very CPU - intensive task so I’m afraid that if you need a better throughput, you’ll have to use one of the Mikrotik models which support encryption in hardware (hAP ac², cAP, hEXr3).

3

Thanks Sindy!
I thought in that possibility. Without HW acceleration I expected a low throughput but not as low as 27Mb/s.

Then, this value could be considered normal for my router?

4

Playing devils advocate here, how do you know that low throughput is not cause of Azure (Cloud)?

Does not matter what size pipe they have, they might use software encryption hence the low throughput from their side?

5

If you can lend yourself an hour or two you can set up virtual machine on you desktop machine and run x86 version in test mode to text how fast ipsec can be in you case (your desktop is much faster that small ROS device), and how settings can affect that.