HEX S and hardware IPSEC

noib · December 13, 2018, 11:42am

Hello
I am testing IPSEC hardware encryption between two HEX S (RB760iGS, ROS 6.43.7)
Test environment is : PC1 ↔ Router R1 <–IPSEC–> Router R2 ↔ PC2.
PC1 and PC2 run iperf3.

Bandwidth test with simple IP routing between R1 and R2: 870Mbps
Bandwidth test with L2TP/no encryption between R1 and R2: 450Mbps
Bandwidth test with L2TP/encryption between R1 and R2: 110Mbps, cpu 25% (1 CPU over 4 at 100%)
Bandwitdth test with L2TP/IPSEC: 160Mbps with something like 1,5 cpu used.
This is far from the 450Mbps announced, so I wonder what I missed. IPSEC parameters are supported by HEX-S (tried cbc-128 and 3des, same result).

L2TP server (R1) export:

[admin@MikroTik] > / ip ipsec export 
# dec/13/2018 12:38:47 by RouterOS 6.43.7
# software id = KF7H-W7S9
#
# model = RB760iGS
# serial number = A815093DB959
/ip ipsec peer profile
set [ find default=yes ] enc-algorithm=3des
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
[admin@MikroTik] > interface l2tp-server export 
/interface l2tp-server server
set default-profile=default enabled=yes ipsec-secret=123123123 use-ipsec=yes

L2TP client (R2) export:

[admin@MikroTik] > /ip ipsec export 
# dec/13/2018 12:41:02 by RouterOS 6.43.7
# software id = W4H9-JH1F
#
# model = RB760iGS
# serial number = A81509D1173C
/ip ipsec peer profile
set [ find default=yes ] enc-algorithm=3des
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
[admin@MikroTik] > /interface l2tp-client export 
/interface l2tp-client
add connect-to=10.17.10.1 disabled=no ipsec-secret=123123123 name=l2tp-out1 use-ipsec=yes user=R2

sebastia · December 13, 2018, 12:14pm

The quoted throughput is bidirectional, so concurrent up/download. You would also need to optimise ip stack, such as mtu.
In other words, you’re quite close with 160mbps in one way.

noib · December 13, 2018, 12:39pm

Oh, so i’m a victim of the marketing ?
one more..

mrz · December 13, 2018, 1:13pm

There is no marketing trick.
Test results are provided for pure ipsec tunnel with UDP traffic. In your case you are having additional load and overhead by using L2TP + l2tp encryption which is completely useless if you are using ipsec. Another thing is since you did not mention what protocol and packet size you are sending I assume it is default iperf parameters using TCP. In this case you will get packet fragmentation and TCP retransmits which will significantly reduce performance.

noib · December 13, 2018, 4:51pm

Ok i got your point.
Thing is, yes i’m using TCP and L2TP, because this is real life traffic for this future link. I just can’t say to my customer “oh! You’re not having 400Mpbs? It’s your fault, you don’t use UDP !”. This is precisely why i test before sending to the customers.
This post was only to check if something obvious could be improved.

I still don’t get the “L2TP encryption is completely useless” part; do you mean that with this configuration, data is double-encrypted, MPPE + IPSEC?

mrz · December 13, 2018, 4:58pm

Yes double encrypted. And you can play with change-mss rules in mangle to reduce TCP packet size to get better performance.