I have an IPIP tunnel connecting two subnets from two Mikrotik routers via a third (ISP) router and the tput I see over the tunnel is about 25% of what I expect. MTU is set at 1460 and (as by default) Clamp TCP MSS is set. I tried disabling fasttrak in the tunnel config but that made no diifference. Tput towards the Internet from each subnet reaches expected maximum values. What could I tweak to improve performance?
Try reducing the MTU to 1360-1380. Look at the load on each processor core(tools, profile, all).
This.
IPIP will use IPSEC as underlying security layer and IPSEC encryption algorithms may or may not be "hardware-accelerated" ... which depends on particular device model and particular algorithm used. And that's dependent on devices on both sides of IPIP tunnel. If used encryption algorithm can not be hardware accelerated, then it'll be done in software and that means it'll be slow (regardless the device CPU).
Are we sure it is IPSec encrypted? When I set up the tunnel I did not configure any keys or certs.
I tried this (reducing MTU), but did not see any improvement. I also ping tested for fragmentation and with 1460 there is none.
It is in my case. And I didn't configure IPsec explicitly either.
You can check by running /ip/ipsec/active-peers/print and see if there's active IPsec connection related to IPIP tunnel.
Many tunnel types (including IPIP or EoIP) will "fake" MTU you want. They will fragment packets if necessary and reconstruct them on the other end without it being explicitly seen. The only effect is reduced throughput due to increased workload and due to increased overhead.
And IMO it's hard to know the best MTU for such tunnels. Due to underlying encryption, the "outer payload" can be higher than "inner payload" by a considerable margin and quite probably playing with "inner MTU" doesn't consistently produce notable results.
No, no peer. CPU also doesn’t show significant increase during tunnel use.