L2TP on CCR1036 with 1Gbps internet

yuridee · July 15, 2020, 12:04am

Hi, sorry if i couldn’t find the answer by searching this nice and useful Forum. I have a question about L2TP/IPSEC settings for remote client. Main office and remote locations are on 1Gbps internet and client needs to transfer big files over VPN. Site to site VPN is not doable, has to be MacOS and Win10 client to CCR1036-8G-2S+ running v6.46.4

what maximum speed can be achieved through VPN using 1Gbps internet link on one or two tunnels (client to office with basically no activities)
what would be the best l2tp-ipsec configuration for that

Many thanks in advanced, i’ve been through many readings and tryings but my speed is barely reaching 100Mbps.
Please-please help or point me where I can read about it.

Yuri

vasilaos · July 15, 2020, 11:18pm

I cant tell for sure about L2TP/IPsec but i have achieved 600-800Mbps over IPsec IKE2 tunnels with cheaper router capable of hardware encryption. Is your bandwidth up/down symmetric or you have slower upload? Check your cores utilization while doing bandwidth tests. Is one core going at 100% ?

yuridee · July 16, 2020, 1:13am

Thank you Vasilaos,

I didn’t think to check CPU utilization, I wouldn’t know if i can adjust it. Is your IKE2 is site2site or Client to Site? Can you please steer me where i can look up ready IKE2 configuration, steps, example.

Many thanks,
Yuri

vasilaos · July 16, 2020, 1:47am

I am using multiple site-to-site and road warrior setup with x-auth on the same. Since some sites are over dynamic ip or behind nat i have configured a main branch site with real ip address in passive mode. Sites aren't connected only to the main branch but also with other sites when possible in a mesh type network

Here is the configuration for:

main branch Configuration:

# main branch Configuration:

/ip ipsec peer
add exchange-mode=ike2 name=ipsec-in-IKE2 passive=yes send-initial-contact=no

/ip ipsec policy group
add name=Dynamic

/ip ipsec profile
add dh-group=modp1024 dpd-interval=disable-dpd enc-algorithm=aes-256,aes-192,aes-128,3des hash-algorithm=sha256 name=site-to-site

/ip ipsec proposal
add auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-128-cbc,null name=site-to-site

/ip ipsec identity
add generate-policy=port-strict peer=ipsec-in-IKE2 policy-template-group=Dynamic secret=mysecret

/ip ipsec policy
add dst-address=192.168.1.0/24 group=Dynamic proposal=site-to-site src-address=192.168.0.0/24 template=yes

site Configuration

# site Configuration

/ip ipsec peer
add address=mydomainname.com exchange-mode=ike2 name=main_branch

/ip ipsec profile
set [ find default=yes ] dpd-interval=30s dpd-maximum-failures=3

/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-128-cbc,null lifetime=20m

/ip ipsec identity
add peer=main_branch secret=mysecret

/ip ipsec policy
add comment=main dst-address=192.168.0.0/24 peer=main_branch src-address=192.168.1.0/24 tunnel=yes

yuridee · July 16, 2020, 2:22am

vasilaos, you are super…

I will try IKE configuration for sure.

Thank you, thank you!