High 'networking'-load with IPSec using CCR2004

SaS · September 26, 2024, 4:44am

Hi,

I’m using a CCR2004-1G-12S+2XS router for site-to-site VPN using IPSec.
Unfortunately, data transfer seems to be limited by cpu.
A file copy using HTTP barely reaches 50MBit/s - the cpu1 of the CCR is at about 60% with roughly 40% networking.
In Firewall, a raw ‘no track’ rule is present and hits traffic.
However, the accept established, related, untracked filter rule on input also gets hit by traffic?!
Has anybody an idea how to reduce CPU-load when transferring a bigger amount of data using IPSec?

Thanks for any help.

All the best from germany!
Sascha

SaS · October 11, 2024, 4:40am

Is nobody using IPSec for site-to-site?
Are there any better ways I’m not aware of?

Larsa · October 11, 2024, 6:38am

If you have a CCR2004 at both ends, make sure to enable proper AES hardware acceleration for IPsec:

https://help.mikrotik.com/docs/display/ROS/IPsec#IPsec-Hardwareacceleration

holvoetn · October 11, 2024, 6:44am

It doesn’t have to be CCR2004 on both ends.
Just make sure to use encryption method which can be HW offloaded. Period.

Larsa · October 11, 2024, 6:51am

Yeah, and to be more specific – if either end of the IPsec tunnel doesn’t have AES hardware acceleration, that’s going to set the limit for the total throughput you can get.

holvoetn · October 11, 2024, 9:42am

Exactly.

There is always a bottleneck.
And if the choke point is someplace where you have zero control over, you’re done. Nothing will help then unless you completely redesign the complete chain (at which point there will be another bottleneck elsewhere).