Hi all, I’ve configured an ipsec VPN using an aes-128-gcm encryption policy. All seems to be working without a major problem, but I have 2 minor issues.
Firstly, when i perform a speed-test using the mikrotik utilities I get high in-state-protocol-errors. Over the course of a minute they will increase by several thousand. This seems to be far worse with UDP rather than TCP. I’ve tried 3des, aes-128-gcm and aes-128-ctr. All suffer the same issue. It is also only on one side of the VPN, the one receiving the UDP traffic. What does this point to? A faulty routerboard, or an issue with the connectivity at that end? I’ve also adjusted the MTU sizes (I’m forcing WAN traffic to 1460 and traffic over the tunnel to 1300). It does not appear to make a difference to the error count what the TCP MSS is set too.
Secondly I cannot get fast-track to work. Will it ever work over an IPSEC VPN? Both routers show 0 packets have hit fast-path despite me configuring fast-track rules.
Any help much appreciated, particularly with the high in-state-protocol-errors. I can’t seem to find much information regarding these at all.
Can anybody shed any light on this at all? Surely I cannot be the only person with these high error rates. The only information I can find is that the hardware acceleration cannot keep up. Should I be adding a limiting queue or some such?
Set only the traffic through the tunnel to 1280 for testing and leave the WAN MTU alone or set it to 1492 if you have a PPPoE connection. Fasttracking over VPN is not going to work.
On the other stuff I can’t give you any advise. Have you used the WiKi of Mikrotik to find examples and tips?
Indeed I have been through the wiki and the only thing it says is the hardware acceleration may be having issues. I’m not sure if this is the case or not. I’ve already set my MTU through the tunnel to 1300. Although I’m looking at the firewall mangle rule after having reset the stats and none of the MTU clamping seems to be having any effect. I’m unsure why this is to be honest.
Is this still an issue? http://forum.mikrotik.com/t/pppoe-mss-clamp-no-working-on-upgrade/111439/1
Looks as though change-mss isn’t working? Thats exactly what I am seeing. If I add:
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn
My counters are now increasing, although not for my other change-mss rules.