Hello,
I have a question about IPSEC performance in comparition with OpenVPN in UDP mode - ipsec is slightly slower and the ping is no as equal as in OVPN.
I think that I should tune MTU value, but the IPSEC works in the tunnel mode, so there is no interface. Could you please help?
To get an interface for IPsec traffic, you have to set the IPsec policy to match only on GRE or IPIP tunnel traffic and create a GRE or IPIP tunnel. You can partially compensate the additional headers of the tunnel protocol by using the transport mode of ESP to carry the GRE or IPIP packets.
But as the icmp packets on your screenshot have a 32-byte payload, the difference in ping reponse times is not caused by fragmentation. I’d assume each of the two connections uses a different encryption alghoritm. Also, with Mikrotik you cannot use OpenVPN in UDP mode, so what remote device have you actually used for the comparison?
what remote device have you actually used for the comparison?
CentOS.
Both VPNs (OpenVPN and IPSEC) works in hub and spoke architecture (both concentrators in OVH’s VPS).
OpenVPN encryption: cipher AES-128-CBC, auth SHA256, tls-cipher TLS-DHE-RSA-WITH-AES-128-CBC-SHA.
IPSEC encryption:
- proposal: auth-algorithms=sha256 enc-algorithms=aes-256-cbc pfs-group=modp2048
- peer: dh-group=modp2048 enc-algorithm=aes-256 exchange-mode=ike2 hash-algorithm=sha256
SiteA: RB3011, SiteB: hexV3 (CPU ~ 0%).