I've Tried (almost) everything: IPSEC IKEv2 11.5 Mbps on 100Mbps Connection Hap AC2

Good day,

I have successfully setup a “Road Warrior” Client to a MikroTik VPN server using IPSEC with IKEv2 on my HAP AC^2. I’m able to connect consistently, run RDP to the device I need to control, and all is mostly well. However, RDP is quite slow/jerky and when I run a bandwidth test using iperf3 through the tunnel, I consistently get 11.5Mbps. The connection at work is about 60 Mbps down, 10 Mbps up and 69 ms delay while the connection at home is 120 Mbps down, 10 Mbps up and 72 ms delay.

I’ve read as many of the forum posts about this as I could find, and I’ve tried tinkering with the MSS to ensure I’m not fragmenting unnecessarily. Currently, I have the MSS set in and out by clamp to PMTU mangle rules on my WAN interface. I’ve tried static MSS settings with mangle as well. I know the max MTU is 1400 limited by the Windows 10 VPN client. I fiddled with that setting as well without any luck. Both computers are running Windows 10 Pro and the client computer (laptop) is connecting through the built in VPN client.

I’ve checked the CPU using profiles, and it never gets above 15% even with video playing or with a iperf3 test between my computers.

When the IPSEC tunnel is established, I have two installed SAs that have the same two IP address just opposite for SRC and DST. One IP is the Comcast dynamic WAN IP for my work network (Work.WAN.IP) and the other is the Linksys static WAN IP for my Mikrotik on the network at home (192.168.1.123). The Linksys has a Comcast dynamic WAN IP and is setup with port forwarding for UDP 4500 and 500.

I’m not sure what to do next. Maybe that’s just the best bandwidth the two networks can provide given the upload speeds? It’s probably a silly setting I’ve missed since this is my first MikroTik and first real experience with routing. I’m at a loss though after 20-30 hours of reading and trying different things.

My config is below, and I’ve also attached an image of my networks. Any help from the experts here is so very welcome!

# oct/25/2019 15:03:55 by RouterOS 6.45.6
# software id = L0AF-NAW4
#
# model = RBD52G-5HacD2HnD

/interface bridge
	add admin-mac=74:4D:28:75:75:58 auto-mac=no comment=defconf name=bridge

/interface bridge port
	add bridge=bridge comment=defconf interface=ether2
	add bridge=bridge comment=defconf interface=ether3
	add bridge=bridge comment=defconf interface=ether4
	add bridge=bridge comment=defconf interface=ether5
	add bridge=bridge comment=defconf interface=wlan1
	add bridge=bridge comment=defconf disabled=yes interface=wlan2

/interface list
	add comment=defconf name=WAN
	add comment=defconf name=LAN

/interface list member
	add comment=defconf interface=bridge list=LAN
	add comment=defconf interface=wlan2 list=WAN

/interface wireless
	set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
		disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=\
		MikroTik-75755C wireless-protocol=802.11
	set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
		20/40/80mhz-Ceee disabled=no distance=indoors frequency=5745 \
		security-profile=jeff ssid="Home Linksys Router" \
		wireless-protocol=802.11

/interface wireless security-profiles
	set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
		supplicant-identity=MikroTik
	add authentication-types=wpa2-psk management-protection=allowed mode=\
		dynamic-keys name=jeff supplicant-identity=MikroTik
		
	/interface sstp-server server
	set authentication=mschap2 certificate=server2 default-profile=sstp01 \
		enabled=yes force-aes=yes max-mru=1400 max-mtu=1400 pfs=yes tls-version=\
		only-1.2
		
/ppp profile
	add dns-server=192.168.1.1 local-address=192.168.88.1 name=sstp01 rate-limit=\
		9M/9M remote-address="SSTP VPN" use-encryption=required
		
/ppp secret
	add local-address=192.168.88.1 name=personalremoved profile=sstp01 remote-address=\
		192.168.88.14 service=sstp
		
/ip hotspot profile
	set [ find default=yes ] html-directory=flash/hotspot

/ip ipsec policy
	add dst-address=192.168.77.0/24 group=ike2-policies proposal=ike2 \
		src-address=0.0.0.0/0 template=yes
		
/ip ipsec proposal
	add auth-algorithms=sha256 enc-algorithms=aes-128-cbc lifetime=12h name=ike2 \
		pfs-group=modp2048

/ip ipsec policy group
	add name=ike2-policies

/ip ipsec peer
	add exchange-mode=ike2 name=ike2 passive=yes profile=ike2
	
/ip ipsec identity
	add auth-method=digital-signature certificate=server2 generate-policy=\
		port-strict mode-config=ike2-conf peer=ike2 policy-template-group=\
		ike2-policies remote-certificate=rw-client1

/ip ipsec profile
	add dh-group=modp2048 enc-algorithm=aes-128 hash-algorithm=sha256 name=ike2

/ip ipsec mode-config
	add address-pool=ike2-pool address-prefix-length=32 name=ike2-conf \
		split-include=192.168.88.0/24

/ip pool
	add name=dhcp ranges=192.168.88.15-192.168.88.254
	add name="SSTP VPN" ranges=192.168.88.10-192.168.88.14
	add name=ike2-pool ranges=192.168.77.10-192.168.77.14

/ip dhcp-server
	add address-pool=dhcp disabled=no interface=bridge name=defconf

/ip neighbor discovery-settings
	set discover-interface-list=LAN

/ip address
	add address=192.168.88.1/24 comment=defconf interface=bridge network=\
		192.168.88.0

/ip arp
	add address=192.168.88.14 interface=bridge published=yes
	add address=192.168.88.251 interface=bridge mac-address=1C:69:7A:02:AA:0F
	add address=192.168.88.10 disabled=yes interface=bridge published=yes

/ip dhcp-client
	add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
		wlan2

/ip dhcp-server lease
	add address=192.168.88.251 client-id=1:1c:69:7a:2:aa:f mac-address=\
		1C:69:7A:02:AA:0F server=defconf

/ip dhcp-server network
	add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1

/ip dns
	set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4

/ip firewall filter
	add action=accept chain=input comment=\
		"defconf: accept established,related,untracked" connection-state=\
		established,related,untracked
	add action=drop chain=input comment="defconf: drop invalid" connection-state=\
		invalid
	add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
	add action=accept chain=forward comment="defconf: accept in ipsec policy" \
		ipsec-policy=in,ipsec
	add action=accept chain=forward comment="defconf: accept out ipsec policy" \
		ipsec-policy=out,ipsec
	add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
		connection-mark=!ipsec connection-state=established,related
	add action=accept chain=forward comment=\
		"defconf: accept established,related, untracked" connection-state=\
		established,related,untracked
	add action=accept chain=input dst-port=443 protocol=tcp
	add action=accept chain=input dst-port=500 protocol=udp
	add action=accept chain=input dst-port=4500 protocol=udp
	add action=accept chain=forward comment="Whitelist RDP through VPN" dst-port=\
		3389 protocol=tcp src-address=192.168.88.10-192.168.88.14
	add action=accept chain=forward dst-port=3389 protocol=tcp src-address=\
		192.168.77.10-192.168.77.14
	add action=reject chain=forward comment="Block RDP Brute Force" log-prefix=\
		Blocked reject-with=icmp-network-unreachable src-address-list=Blocked
	add action=add-src-to-address-list address-list=Blocked address-list-timeout=\
		1w3d chain=forward connection-state=new dst-port=3389 log=yes log-prefix=\
		"RDP BRUTEFORCE - " protocol=tcp src-address-list=rdp_stage3
	add action=add-src-to-address-list address-list=rdp_stage3 \
		address-list-timeout=5m chain=forward connection-state=new dst-port=3389 \
		protocol=tcp src-address-list=rdp_stage2
	add action=add-src-to-address-list address-list=rdp_stage2 \
		address-list-timeout=5m chain=forward connection-state=new dst-port=3389 \
		protocol=tcp src-address-list=rdp_stage1
	add action=add-src-to-address-list address-list=rdp_stage1 \
		address-list-timeout=5m chain=forward connection-state=new dst-port=3389 \
		protocol=tcp
	add action=accept chain=input src-address=192.168.88.0/24
	add action=accept chain=forward src-address=192.168.88.0/24
	add action=drop chain=input comment="defconf: drop all not coming from LAN" \
		in-interface-list=!LAN
	add action=drop chain=forward comment="defconf: drop invalid" \
		connection-state=invalid
	add action=drop chain=forward comment=\
		"defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
		connection-state=new in-interface-list=WAN
	add action=drop chain=input connection-state=new dst-port=53 in-interface=\
		wlan2 protocol=udp
	add action=drop chain=input connection-state=new dst-port=53 in-interface=\
		wlan2 protocol=tcp

/ip firewall mangle
	add action=mark-connection chain=forward comment=\
		"mark ipsec connections to exclude them from fasttrack" ipsec-policy=\
		in,ipsec new-connection-mark=ipsec
	add action=mark-connection chain=forward comment=\
		"mark ipsec connections to exclude them from fasttrack" ipsec-policy=\
		out,ipsec new-connection-mark=ipsec
	add action=change-mss chain=forward connection-mark=ipsec disabled=yes log=\
		yes log-prefix=MSS new-mss=1360 passthrough=yes protocol=tcp tcp-flags=\
		syn tcp-mss=!0-1360
	add action=change-mss chain=forward new-mss=clamp-to-pmtu out-interface=wlan2 \
		passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1401-65535
	add action=change-mss chain=forward in-interface=wlan2 new-mss=clamp-to-pmtu \
		passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1401-65535

/ip firewall nat
	add action=masquerade chain=srcnat out-interface=wlan2 src-address=\
		192.168.88.0/24
	add action=masquerade chain=srcnat comment="defconf: masquerade" \
		ipsec-policy=out,none out-interface-list=WAN

/ip ssh
	set allow-none-crypto=yes forwarding-enabled=remote

/system logging action
	add memory-lines=100 name=ipsec target=memory

/system clock
	set time-zone-name=America/Chicago

/system logging
	add disabled=yes topics=sstp
	add disabled=yes topics=certificate
	add action=ipsec prefix=" " topics=ipsec

/system watchdog
	set auto-send-supout=yes watch-address=8.8.8.8

/tool bandwidth-server
	set enabled=no

/tool mac-server
	set allowed-interface-list=LAN

/tool mac-server mac-winbox
	set allowed-interface-list=LAN

If your up speeds at both ends are 10Mbps and your getting 11Mbps Id say you are doing well.

In addition to anav and McSee, I think it would be clearer if it just written down.

Office 60 Mbps → 10 Mbps home
Office 10 Mbps ← 120 Mbps home

So maximum speed either way is 10 Mbps.

The arrows should point the other way … because it’s uplink (away from end point) which is slow.

But this doesn’t change the fact that end-to-end speed of IPSEC connection is 10 Mbps in both directions, both ways there’s an UL bottleneck.

I’m afraid my inexperience with networking is showing . I thought that might be it, but wasn’t sure and hoped it wasn’t. I guess I’ll have to dial back the RDP graphic settings as much as I can, and also reach out to the ISPs and see what we can do about the up speeds.

I just thought of something. RDP shouldn’t be freezing up and stuttering at that speed and latency, should it? Is it possible I’ve buggered up the MSS and have packet loss or unnecessary fragmentation? Maybe my firewall rules aren’t in the right order.

Thanks everyone!

RDP doesn’t need much bandwidth. It’s working happily with a 10Mbps connection here, too. Maybe you should check for unusual high latency and maybe packet loss. 10Mbps is more than enough for RDP…

I looked at the settings in the firewalland noticed that 192.168.75.X is used in the drawing and in the settings 192.168.77.X.

Bring the MTU in Mangle to 1280 so that packets will pass even it will be fragmented.

Msatter, thank you. I adjusted the MSS-TCP from 1401-65535 to 1281-65535 on the in and out clamp to PMTU Mangle rules. I’m going to try that for today and then enable the disabled Mangle rule and adjust it’s MSS changes to your suggestion and disable the two clamp rules to see if either works better.

As far as the IPs, the work DHCP assigns IP address to local devices with 192.168.75.X and I have a pool for IPSEC that assigns 192.168.77.X. The client’s local IP doesn’t show up anywhere in my MikroTik, so I used the IP address (192.168.77.X) that does show up. I’m referencing this for those settings:

[admin@MikroTik] /ip ipsec active-peers> print detail
	Flags: R - responder, N -natt-peer 0 RN id="rw-client1" local-address=192.168.1.123\
	port=4500 remote-address=work.WAN.IP port=33706 state=established side=responder\
	dynamic-address=192.168.77.14 uptime=16m33s last-seen=32s  ph2-total=1

The device you RDP from, is connection nag with wifi or wired LAN cable? Wifi might not be optimally configured which might case the stuck issues

I am wired at work, and the computer is wired to the MikroTik router at home. The MikroTik is wirelessly connected to the Linksys router as a station at home using 5Ghz within 10 feet of the Linksys line-of-site.

Ok so it’s been a little while. Work. I’ve tried to do some sleuthing with Wireshark, but I’m not entirely sure I’m using it right (not your problem; I can read up). What I have noticed is that if I try to monitor the “adapter” windows 10 creates for the IKEv2 connection, it causes an active RDP connection to drop. The internet said that may be nothing, but I thought I’d include it here.

When I monitor the actual Ethernet connection on the Windows 10 IKEv2 client, I see ESP packets flowing between the client and the MikroTik with a max packet length of 1362 bytes from the MikroTik to the client. I believe this is correct given windows limits the IKEv2 connection to 1400 MTU. The client’s max packet length never exceeded 770 bytes during normal use, but that’s probably normal since the client is only sending key strokes and mouse input? I sent a small file through and the client maxed at 1362.

So to this amateur’s eyes, it doesn’t seem to be an MTU issue. I’ve monitored the cores on the MikroTik and it doesn’t appear to be anywhere near max load. What else could be causing my RDP freezes and lag? Bad firewall rules on either side? Something with the mutliple routers on each side? I’m at a loss. Thank you.