hEX - IPsec Tunnel slow

nicku · February 9, 2018, 7:01pm

Hi,

I just bought two hEX Routers (750G r3, 6.41.2) and set up an IPsec tunnel between them. Both are running in Bridge Mode behind another DSL Router. I only want to use them as a VPN Gateway. Problem is that I only get about 16 MBit/s throughput. Internet connection should allow 40 MBit/s. I disabled the firewall by deleting all rules. How can I improve the IPsec tunnel speed?

My configuration:

/ip ipsec peer print
 0     ;;; vpn10
       address=88.77.66.44/32 auth-method=pre-shared-key
       secret="xxx" generate-policy=no
       policy-template-group=default exchange-mode=ike2
       send-initial-contact=yes hash-algorithm=sha256 enc-algorithm=aes-256
       dh-group=modp4096 lifetime=1d dpd-interval=2m

/ip ipsec policy print
 1  A  ;;; vpn10
       src-address=192.168.20.0/24 src-port=any dst-address=192.168.10.0/24
       dst-port=any protocol=all action=encrypt level=require
       ipsec-protocols=esp tunnel=yes sa-src-address=0.0.0.0
       sa-dst-address=88.77.66.44 proposal=secure-proposal ph2-count=1
       
/ip ipsec proposal print
1    name="secure-proposal" auth-algorithms=sha256 enc-algorithms=aes-256-cbc
      lifetime=30m pfs-group=modp4096

Thank you,
Niclas

CZFan · February 10, 2018, 5:49am

Hi,

I just bought two hEX Routers (750G r3, 6.41.2) and set up an IPsec tunnel between them. Both are running in Bridge Mode behind another DSL Router. I only want to use them as a VPN Gateway. Problem is that I only get about 16 MBit/s throughput. Internet connection should allow 40 MBit/s. I disabled the firewall by deleting all rules. How can I improve the IPsec tunnel speed?

My configuration:
/ip ipsec peer print
 0     ;;; vpn10
       address=88.77.66.44/32 auth-method=pre-shared-key
       secret="xxx" generate-policy=no
       policy-template-group=default exchange-mode=ike2
       send-initial-contact=yes hash-algorithm=sha256 enc-algorithm=aes-256
       dh-group=modp4096 lifetime=1d dpd-interval=2m

/ip ipsec policy print
 1  A  ;;; vpn10
       src-address=192.168.20.0/24 src-port=any dst-address=192.168.10.0/24
       dst-port=any protocol=all action=encrypt level=require
       ipsec-protocols=esp tunnel=yes sa-src-address=0.0.0.0
       sa-dst-address=88.77.66.44 proposal=secure-proposal ph2-count=1
       
/ip ipsec proposal print
1    name="secure-proposal" auth-algorithms=sha256 enc-algorithms=aes-256-cbc
      lifetime=30m pfs-group=modp4096
Thank you,
Niclas

If the data sent through VPN is not sensitive data, maybe use PPTP VPN, much lighter and faster

nicku · February 10, 2018, 9:58am

The data is more or less sensitive, but I want this strong encryption. Shouldn’t the hEX routers be much more powerful at IPsec? Two cores of the CPU are just at about 8%.

CZFan · February 10, 2018, 10:29am

Yes, I would think you should get ~50Mb.

Do you get 16Mb both ways? Not maybe limited by one sides upload speed?

nicku · February 10, 2018, 11:15am

Site 1 has 50/10 MBit/s (Down/up) and site 2 has 100/50 MBit/s. For testing I was at site 1 and downloaded (https) a file from site 2. So there is a bandwidth limit of 50 MBit/s but I only got 16 MBit/s through the IPsec tunnel.

Some ideas: Would it be better to use IPv6 between the sites? Should I play with MTU?

andlil · February 11, 2018, 8:30am

If those are the correct numbers I am surprised you get 16 MBit/s, since upload speed on site 1 is 10 MBit/s…

msatter · February 11, 2018, 9:45am

Try it with a pre-Bridge firmware and that is 6.40.5. I had the strangest things happening with the 750Gr3 on the Bridged firmware version and RC.

https://mikrotik.com/download/archive

nicku · February 11, 2018, 9:50am

I thought I would get 50 MBit/s bandwidth limit in one direction and 10 MBit/s in the other direction. Can you tell me why I am wrong? I think you have misunderstood my setup.

Edit:

I will test it.

CZFan · February 11, 2018, 10:38am

Not sure how much knowledge / experience you have, but I would do some packet sniffing to see what is happening on the network

nicku · February 11, 2018, 10:48am

I downgraded both routers to 6.40.5, but the bridge option still exists and speed hadn’t changed. Is this what you expected? I thought pre-Bridge means that this option is not available.

nicku · February 11, 2018, 11:22am

Which packets shall I sniff and where? How can I see if somethings wrong?

CZFan · February 11, 2018, 1:30pm

Mikrotik has a packet sniffer in Tools menu, sniff the bridge in both directions for IP of your PC while you doing a download.Save the sniffed packet file

You can then view the details with open source product called Wireshark, but you will need in depth knowledge of how protocols, i.e. IP, TCP, UDP, etc work.

msatter · February 11, 2018, 1:59pm

These are bridges between the ports on the Mikrotik itself and before 6.41 Master-Slave mode was used:

http://forum.mikrotik.com/t/v6-41-current/114978/1

CZFan · February 11, 2018, 2:10pm

I suspect this will make no difference, reason being is that bride goes via cpu, master / slave config did not. but when routing is involved, it has to go via cpu, so will make no difference here

nicku · February 11, 2018, 5:42pm

I looked at the sniffed traffic while downloading a file over https:

There are many many retransmissions (TCP Fast Retransmissions, TCP Retransmissions and TCP Dup ACK)
ESP packet size is 1506
IP packet size (my download) 1436

I never saw IPsec traffic and I don’t know what I have to expect, but these restransmissions seem to be problematic.

nicku · February 17, 2018, 5:49pm

Hi,
today I had time to build a small test network like this:

Laptop -- hEX -- FritzBox (Ports forwarded) -- Switch (my "test internet") -- FritzBox -- hEX -- Laptop

I tested some different configurations but end up by only 3 MByte/s through the IPsec tunnel (SMB data transfer).

Then I tried another network config:

Laptop -- hEX -- Switch (my "test internet") -- hEX -- Laptop

Now I got about 11 MByte/s through the IPsec tunnel (SMB data transfer). I think this is the maximum network speed as the switch is only able to handle 100MBit/s.

So the problem seems to be the NAT at the FritzBox. Does someone why these boxes are slowing me down?

EDIT: Just tested the second network config with a gigabit switch and got 28 MByte/s. Really impressive.

CZFan · February 18, 2018, 8:52am

100Mbits/s equates to approx. 12,5 MBytes/s, with overhead, etc 11 MBytes/s is about correct.

Move the PPPoE / DSL authentication, etc off the FritzBox to the Mikrotik and configure the FritzBox as a “modem” only

nicku · June 12, 2018, 2:34pm

Sorry for this late reply. Had no time to test with VDSL modems. Now my setup looks like this:

Local Network 1 -- Mikrotik  -- Modem (100/40 Down/Up) --  Internet -- Modem (50/10 Down/Up) -- Mikrotik -- Local Network 2

The Mikrotik Routers are connected via a IPSec GRE Tunnel. If I ping from one Local Network to the other I have a Latency of about 40ms.
Now the problem: I only get 2,3 MByte/s via SMB, but the full speed of about 4,3 MByte/s via FTP. Is there anything I can do to improve the SMB speed? Some Clients need SMB so there is no option to use FTP only. I already set the SMB Version to 3.1.

Tunnel Configuration:
Actual MTU: 1406
DSCP: inherit
Dont fragment: no
Clamp TCP MSS: yes
Allow fast path: no

Van9018 · June 13, 2018, 1:08am

Nothing more to do on the router if FTP maxes out your connection.

SMB is a chatty protocol, latency is a killer. You’ll have to look more into SMB to see if it can be tuned for better throughput on high latency networks.

nichky · June 13, 2018, 4:43am

@nicku How your firewall looks like? use RAW instead of NAT.