ipsec ccr performance max 150mbit

mabels · September 10, 2014, 2:20pm

Hello,

i have two CCR1036-8G-2S+ running 6.19 inter connected with 10gbit.

My setup

net-a → net-b → net-c

allows me to transfer 9.8Gbit/sec without encryption

If I added an ipsec-tunnel to net-b with a policy for net-a/c i ended up with a max
throughput of ~170mbit/sec.
Where could be key to get more speed with the encryption enabled.

Here the config of the left side

/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip ipsec peer
add address=169.254.100.2/32 secret=test
/ip ipsec policy
add dst-address=169.254.102.0/24 sa-dst-address=169.254.100.2 sa-src-address=169.254.100.1 src-address=
169.254.101.0/24 tunnel=yes

right side:
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip ipsec peer
add address=169.254.100.1/32 secret=test
/ip ipsec policy
add dst-address=169.254.101.0/24 sa-dst-address=169.254.100.1 sa-src-address=169.254.100.2 src-address=
169.254.102.0/24 tunnel=yes

keep in mind if i disable the policy i get 9.8Gbit throughput

Thx in advance

meno
p.s. i played with the algorithms and there was no reasonable impact in performance terms.

Duduhandelman · September 10, 2014, 5:19pm

I think that hardware encryption is only working on aesand not 3des.

Give it a try

IntrusDave · September 10, 2014, 6:00pm

Yes, change to AES-128 or AES-256 with SHA1 or SHA256
You should see a dramatic increase.

mabels · September 10, 2014, 10:59pm

I played around with encryption before

and was no significant difference include the none option.

i set the proposal to:

0 * name=“default” auth-algorithms=sha1 enc-algorithms=aes-128-cbc lifetime=30m
pfs-group=modp1024

and there is only ~150-200Mbit throughput

So the problem is still there

meno

IntrusDave · September 10, 2014, 11:02pm

Odd, maybe a hardware defect? My CCR 1016-12G sustains 500mbps quite well.

mabels · September 11, 2014, 9:20am

I just used another pair of CCR-1036-8G-2S+ no difference.

Could be there a problem that i used only the 10GBit interfaces with vlan’s

/interface bonding
add lacp-rate=1sec mode=active-backup mtu=9216 name=sw10 slaves=
te0-sw10-1,te1-sw10-2

/interface vlan
add interface=sw10 mtu=9100 name=v2200-test-interconnect vlan-id=2200
add interface=sw10 mtu=9100 name=v2201-test-left vlan-id=2201
add interface=sw10 mtu=9100 name=v2202-test-right vlan-id=2202

my
net a is vlan2201
net b is vlan2200
net c is vlan2202

this configure is the same of both ccr’s

cheers

meno

mabels · October 7, 2014, 9:42pm

I discussed this topic with the MikroTik support but they don’t understand for now
that i want to have only one channel which runs with more than 150Mbit.

For me it looks like that a ccr router can only handle 150mbit per ipsec connection or per cpu.

I tried many things but i didn’t find any loadbalancing strategie across multiple
ipsec policies.

So this issue is still unsolved, stay tuned

meno