ipsec hardware acceleration under RB1000

Eising · May 12, 2010, 11:07am

Hi,

Is there any specific parameters needed for the best ipsec performance on the RB1000 platform? For instance, what kind of cryptography is accelerated? All of them?

mrz · May 12, 2010, 11:17am

You don’t need any specific parameters. R1000 will automatically use HW encryption.

fewi · May 12, 2010, 2:45pm

Somewhat related: does it also use hardware acceleration for other cryptographic tasks, such as TLS?

he1ium · May 12, 2010, 10:49pm

Is there a theoretical limit for the number of concurrent connections on the RB1000 with the following setup -

SHA1/AES256 IPSec over an IPIP tunnel also using OSPF for routing. This is HUB and SPOKE setup where the RB1000 is the HUB, all other locations are SPOKE with 493AH routers.

Eising · May 17, 2010, 1:47pm

Hmm, are you sure that there’s no specific encryption algorithm that needs to be used with this? I have a 100Mbit/s internet connection but I can only get something like 2-3Mbit/s through IPSec.
I use AES-128 with SHA1 hashing.
I have 2% CPU load while testing, and I test using FTP.

mrz · May 18, 2010, 4:24am

AES is hardware accelerated, what device do you have on other side?

Eising · May 18, 2010, 5:56am

A linux box running OpenSWAN. My own line at home is a 50Mbit/s fiber, and I’m running a VPN on that on my RB750, and it’s running much, much better than this RB1000. It’s the same config on the two boxes.

janisk · May 18, 2010, 10:53am

what version of RouterOS?

what encryption settings you have set up?

how much normal traffic you can push through that?

Eising · May 18, 2010, 12:12pm

I’ve been working on this problem all day, and here is what I’ve gathered:
I’m running RouterOS 4.6 and have split-tunnelling with AES-128-sha1-modp1536 configured.
I can push something like 3.5MByte/s through this circuit if I don’t use the IPSec tunnel.
My throughput through the ipsec tunnel is around 180KByte/s.
I’ve been sniffing on all the ends of the circuit that I have access to (the router, the outside before my concentrator and the inside network

When I analyse these pcap dumps, I can see that the ipsec packets arrive out of order, and I can see that they are in fact transmitted out of order on the RB1000!

So, somehow there’s a bug on the RB1000 that causes the VPN traffic to be transmitted out of order.

psamsig · August 21, 2010, 10:24am

Did this ever get confirmed and/or resolved?

Eising · August 26, 2010, 1:31pm

No, unfortunately not. It’s still a problem, but I’ll probably replace the boxes with something that I know works…

wpeople · April 9, 2011, 9:19am

Just for the archive:
we did some testing with the new RB1100AH (a pair of them).
In the first times, we tought, we need to turn on HW acceleration on something other fails, after we found NOT to use Mikrotik’s btest, but we have to use iperf (or jperf with GUI).

With that, we can nicely push 200mbps tcp between a desktop and a (pretty old p4) notebook (after that, the notebook’s cpu was the limit).
At 200mbps tcp thruput, the RB’s CPU was ~50-60%, using AES-256, ESP with IPSEC.

Krikti · November 4, 2011, 10:30am

I think the same thing that you don’t need any specific parameters. R1000 will automatically use HW encryption. I Flight Systems