ikev2 vpn speed

pasin · January 22, 2024, 8:15am

Hi,
I managed to configure ikev2 user to server vpn. But I noticed that download speed goes from 100 Mbps to around 20 Mbps when I connect to vpn.
When I configured openvpn this decrease in download speed did not happen.
I have mikrotik hap Lite TC

jhbarrantes · January 22, 2024, 8:48am

Most likely, MTU issue. Adjust it using mangle rules, as this is not automatic (PDMTU) like in other protocols.

Kind regards.

pasin · January 22, 2024, 9:08am

Ok, but why in openvpn with default firewall config speed is fine? What changes in ikev2 regarding MTU? Firewall rules are the default one. I just added rules to allow input in ports 4500,500

pasin · January 22, 2024, 9:40am

Tried to disable firewall rule fasttrack but still same

pasin · January 22, 2024, 11:24am

Same situation after adding:

chain=forward action=change-mss new-mss=1360 passthrough=yes tcp-flags=syn
protocol=tcp tcp-mss=!0-1360 log=no log-prefix=“” ipsec-policy=in,ipsec

pasin · January 23, 2024, 7:05pm

I also noticed the CPU speed of mikrotik goes to 90% or more when I test internet speed

jhbarrantes · January 23, 2024, 7:27pm

What do you spect from this hardware? It is very limited. If MTU is adjusted properly, next bottleneck will be CPU.

Regards.

pasin · January 23, 2024, 7:31pm

Can you please help me on how to adjust MTU, I am a newbie and maybe I am not doing it properly. I tried to add the mangle rule described above and also disablde fasttrack but CPU usage ad download speed is always same.

Larsa · January 23, 2024, 7:34pm

Check if your router model supports hardware acceleration for AES (IPSec). If not, encryption will be performed using software and the maximum throughput
will be limited to the CPU power.

https://help.mikrotik.com/docs/display/ROS/IPsec#IPsec-Hardwareacceleration

pasin · January 23, 2024, 7:37pm

Model is mikrotik hap Lite TC ad it does not support HW acceleration

Larsa · January 23, 2024, 7:40pm

Okay, that’s probably the main reason for the bottleneck.

If possible, give WireGuard a try as it tends to be a bit more lenient when it comes to software encryption.

pasin · January 23, 2024, 8:27pm

Wireguard is not an option in this model

Larsa · January 24, 2024, 12:40pm

Okay, why is that? As far as i know, WireGuard is supported on all platforms using ROS v7.

pasin · January 24, 2024, 12:43pm

My mikrotik device goes to 6.49.12 when I update it from Check For Updates.

Larsa · January 24, 2024, 1:56pm

According to Mikrotik’s product page for hAP lite TC, it supports the latest version ROS v7.13.2 if you want to try upgrading. There’s some information on their website and various posts in the forum on how to upgrade. Remember to first make a backup if you would like to go back to v6.

https://help.mikrotik.com/docs/display/ROS/Upgrading+and+installation

mszru · January 29, 2024, 11:01pm

You need to switch from “stable” to a special channel called “upgrade”, which is available in the latest v6 version installed on your router. Then hit Check for Updates again and you’ll see the latest stable v7.

baragoon · January 29, 2024, 11:06pm

On v7 it will be unusable