L2TP/IPsec slow download, fast upload

martin3444 · August 31, 2018, 8:07pm

Hello

I have a weird problem. I’ve set up L2TP with IPsec encryption. When I test my VPN throughput then my download is much slower than my upload.
Sometimes download is almost equal to the upload.

I’ve been stuck with this in days now. Search is not helping me.

Sometimes the speed is 100+/100+. I’ve tested this in my local network with my android phone when connected to L2TP/IPsec

IPsec config:

/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc

/ip ipsec peer
add address=0.0.0.0/0 dh-group=modp1024 dpd-interval=30s dpd-maximum-failures=3 enc-algorithm=aes-256 exchange-mode=main-l2tp generate-policy=port-override hash-algorithm=sha256 lifetime=30m secret=Secret

L2TP config:

/ppp profile
add change-tcp-mss=yes dns-server=10.0.0.1,1.1.1.1 local-address=10.0.0.1 name=vpn_profile remote-address=pool_vpn use-compression=yes use-encryption=required use-ipv6=no

/ppp secret
add name=User password=Pass profile=vpn_profile remote-address=10.0.0.2 service=l2tp

/interface l2tp-server
add name=l2tp-user user=user

/interface l2tp-server server
set authentication=mschap2 default-profile=vpn_profile ipsec-secret=Secret max-mru=1460 max-mtu=1460 max-sessions=2 use-ipsec=required

Firewall config:

/ip firewall filter
add action=accept chain=input comment="L2TP VPN" dst-port=500 in-interface=ether1 protocol=udp
add action=accept chain=input dst-port=1701 in-interface=ether1 protocol=udp
add action=accept chain=input dst-port=4500 in-interface=ether1 protocol=udp
add action=accept chain=input in-interface=ether1 protocol=ipsec-esp
add action=accept chain=input in-interface=ether1 protocol=ipsec-ah

Other information:
Router: hAP ac2 (RBD52G-5HacD2HnD-TC)
Internet speed: 200/200 Mbit/s

martin3444 · September 1, 2018, 9:35pm

Anyone?

martin3444 · September 2, 2018, 1:45pm

Bump

martin3444 · September 3, 2018, 5:54pm

~~[quote=Companion post_id=683539 time=1535897830 user_id=101447]~~
Hello!

I also use vpn ipsec. I have no problem. My L2TP configuration is a bit different-

/ interface l2tp server server

set authentication = mschap2 default-profile = vpn_profile ipsec-secret = secret max-mru = 1450 max-mtu = 1450 max-sessions = 2 use-ipsec = NO!

What’s your ip firewall config?
[/quote]

Hello and thank you for taking the time to answer

A question for you. How can you use IPsec with your L2TP VPN when your config is set to “use-ipsec = NO”. Or am I Missing something?

My IP firewall config:
[code] /ip firewall filter add action=drop chain=input comment=“Drop DNS” dst-port=53 in-interface=ether1 protocol=udp src-address=!192.168.1.0/24 add action=drop chain=input dst-port=53 in-interface=ether1 protocol=tcp src-address=!192.168.1.0/24 add action=drop chain=forward comment=“Drop subnet network” in-interface=bridge_guest out-interface=bridge_home add action=drop chain=forward in-interface=bridge_home out-interface=bridge_guest add action=drop chain=forward comment=“Drop packets from LAN that do not have LAN IP” in-interface=bridge_home log=yes log-prefix=LAN_!LAN src-address=!192.168.1.0/24 add action=drop chain=forward in-interface=bridge_guest log=yes log-prefix=LAN_!LAN src-address=!192.168.2.0/24 add action=accept chain=input comment=“L2TP VPN” dst-port=500 in-interface=ether1 protocol=udp add action=accept chain=input dst-port=1701 in-interface=ether1 protocol=udp add action=accept chain=input dst-port=4500 in-interface=ether1 protocol=udp add action=accept chain=input in-interface=ether1 protocol=ipsec-esp add action=accept chain=input in-interface=ether1 protocol=ipsec-ah add action=accept chain=input comment=“L2TP VPN router access allow” disabled=yes dst-address=192.168.1.1 src-address=10.0.0.2 add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related add action=accept chain=input comment=“Established, Related” connection-state=established,related add action=accept chain=forward connection-state=established,related add action=accept chain=input comment=“Allow LAN” src-address=192.168.1.0/24 add action=drop chain=forward comment=“Drop invalid” connection-state=invalid log=yes log-prefix=invalid add action=accept chain=input comment=“Accept ping” disabled=yes protocol=icmp add action=drop chain=input comment=“Drop input/Drop ping” add action=drop chain=forward comment=“Drop incoming packets that are not NATted” connection-nat-state=!dstnat connection-state=new in-interface=ether1 log=yes log-prefix=!NAT

/ip firewall nat add action=masquerade chain=srcnat out-interface=ether1 add action=masquerade chain=srcnat comment=“L2TP VPN local network allow” disabled=yes dst-address=!10.0.0.2 src-address=10.0.0.2 [/code]

sindy · September 3, 2018, 6:19pm

If you set use-ipsec in the l2tp settings to yes or required, RouterOS creates a dynamic IPsec peer from an internal template. Instead, you can configure one manually, with phase 1 and phase 2 proposals you prefer, which is what @Companion apparently did. There should be no difference in throughput depending on one or other method to be used, though.

Have you tried to use /tool profile while testing the throughput to see whether the CPU isn’t overloaded? Also, have you had a look at /ip ipsec installed-sa to see which encryption and authentication algorithms are in use and whether hardware-acceleration is used (only some algorithms and their combinations can be hardware accelerated, and the set depends on routerboard model)?

martin3444 · September 3, 2018, 7:18pm

Yes. I’ve used /tool profile. Nothing suspicious there. Plenty of CPU power left while testing.

Yes. I’ve checked /ip ipsec installed-sa. Encryption is excactly what I set it to be. SHA256 and AES256. Hardware acceleration was enabled.
So I have no idea what’s the problem.

pe1chl · September 3, 2018, 7:18pm

Make sure you have correct MTU settings and a TCP MSS mangle rule! Like this:

/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes
protocol=tcp tcp-flags=syn

martin3444 · September 3, 2018, 7:36pm

Max MTU is 1450, max MRU is 1450. Added this mangle rule, but it didn’t change anything. Same problem.

pe1chl · September 3, 2018, 8:14pm

1450 may be too high for the parameters you have chosen, I have not calculated that.
You need to make sure there is no fragmentation in the router.
The TCP MSS mangle rule helps that (it forces the endpoint to send the proper fragment size).
Also try with SHA1 and AES128 to see if that is any different.

martin3444 · September 4, 2018, 6:19pm

1450 may be too high for the parameters you have chosen, I have not calculated that.
You need to make sure there is no fragmentation in the router.
The TCP MSS mangle rule helps that (it forces the endpoint to send the proper fragment size).
Also try with SHA1 and AES128 to see if that is any different

Already tried it. Set it to 1300…didn’t do anything.

Interests after I tried your firewall configuration on the test router. Traffic filtered but it’s a bit weird to ‘jump’. It should not be.
The 1450 value is a composite of many routers that use L2tp. Everything is okay.
Try to configure the router with:
/ ip firewall filter
add action = accept chain = input comment = “Allow Established, Related” \ connection-state = established, related
You can see an example here - open winbox, enter Connect to: demo.mt.lv
Login: demo and no password
Then, request to write or there is a change. Thank you

I already have that rule in my firewall.

I tried testing it without the VPN. Test results were basically the same. Download is way slower than upload. (With my phone [Wifi])
Tried testing it with my PC. Speed seems normal. Download and upload are basically the same or upload is a bit slower.
I think it’s something with the wifi.

I’m using a TP-Link AP but for making sure, it’s not the AP-s fault, I enabled Mikrotik’s wifi and the problem is there too.
So it’s not only the VPN-s fault.

Maybe a bug in RouterOS?

sindy · September 4, 2018, 6:36pm

If the issue exists regardless whether you use a TP-link AP or Mikrotik’s own AP, it has nothing to do with Mikrotik’s wireless. I’d rather vote for the phone’s wireless compatibility issues as the phone is the common element in these two cases. From the PC/notebook/laptop you’ve tried using wifi as well, or did you use the wired connection that time?

martin3444 · September 4, 2018, 6:39pm

Forgot to mention. I used a wired PC. And now I tested it with a laptop…with the laptop the same problem occures.

sindy · September 4, 2018, 7:34pm

OK. What is important here is that the behaviour is the same with two different APs. Wireless is a wonderland of its own, where interference from other sources as well as compatibility issues can cause a lot of trouble. To find out which phenomenon is actually responsible requires to know the noise background at first place. But as you say that a wired connection behaves normally, I think it’s time to start a new topic as L2TP/IPsec doesn’t seem to be related. Of course, confirming this by setting up an L2TP/IPsec client on the PC connected by wire and testing the throughput from there is a necessary step to really make this conclusion.

sindy · September 5, 2018, 7:44am

@companion, please have a look how to properly quote from previous posts, use [quote] and [/quote] for that. May I ask you to edit your previous post?

More important, please do not spread false information that order of chains in firewall is important for performance or anything else than readability. What does matter for functionality and also for performance is the order of rules within the same chain (input, output, forward, user-defined chains), but it is of no importance whether you place all the input rules first or last. It matters for readability, though: if you interleave the rules belonging to different chains like (i1,o1,f1,i2,i3,f2,o2,f3,o3,f4,i4), it works and performs exactly the same as (i1,i2,i3,i4,o1,o2,o3,f1,f2,f3,f4) but it is almost impossible to read.

cheshmesar · September 5, 2018, 11:37am

hi, If the issue exists heedless whether you use a TP-link AP or Mikrotik’s own AP, it has nothing to do with Mikrotik’s wireless. I’d rather vote for the phone’s wireless compatibility issues as the telephone is the collective element in these two cases. From the PC - notebook - laptop you’ve tried using wifi as well, or did you use the wired connection that time?

thank you

martin3444 · September 5, 2018, 2:56pm

Thank you everyone for finding the time to answer.

I tested my vpn with my phones 4G. Connected with vpn and the problem is there too. Download 8Mbit/s and upload 40Mbit/s.

I have no problems if I use 4G only but if I connect via 4G to vpn then speeds are weird.

martin3444 · September 5, 2018, 5:28pm

I tried it in a different computer with wired connection. Download is 110Mbit/s and upload is 120Mbit/s. (VPN enabled)
Don’t know what causes this. Tried turning off firewall…doesn’t do anything.

On a different laptop without VPN there is again the same problem.
Faster upload than download.

martin3444 · September 7, 2018, 4:05pm

I’ve tried absolutely everything. I quit. I’ll switch out my router. I don’t want to deal with this anymore. I don’t get help from anywhere. I even reset my router to default. Nothing helps. MikroTiks wifi doesn’t work too. Same as AP. vPN doesn’t work. Same as Wifi. I quit.
Bye.

sindy · September 7, 2018, 4:14pm

You haven’t said anything regarding WiFi environment exploration (other devices running nearby on overlapping channels) and if you’ve really used 4G to connect, the results must be affected as each packet has to go through the WAN interface twice.

Estonia is not that big, maybe someone living nearby can have a look?

martin3444 · September 7, 2018, 4:18pm

Other devices doesn’t matter if the results are the same when using 4G without VPN.
When using VPN then 8Mbit/s download and 40Mbit/s upload. When it was bad 4G then without VPN why is my speed 60/50 without VPN.

Country is Estonia.