l2tp Tunnel ( 2x MTs) - enable IPsec and mt TX BW tests fail

jo2jo · April 1, 2017, 9:18pm

i have a central rb1200 (as a VPN server - ROS 6.38) , into which several MTs VPN-Client into. I also have ipSEC setup on this VPN server and use it often (from MTs , Win7 , iOS).

Im currently setting up a hap AC LITE ( ros 6.38.5 ) - i was trying to see if there are any speed differences between normal mt to mt L2TP (ie w MPPE128 ) vs using mt to mt L2TP w IPSEC (by simply checking off the “IP SEC Secret” option (on the L2TP-client side, ofcourse) and adding my IPSEC Secret password).

The issue im having is: when the IPSEC is on, on the client side (and i also can confirm , by looking at the server side with winbox, i can see cbc-aes128 encryption is being used) - I can only run RX TCP mt tool bandwidth tests , if i try TX TCP mt tool Bandwidth tests, it just shows 0.0mbit. the same is true weather im doing the bw test to the VPN-servers address or to another device also on the VPN-server (all my VPN devices are in the same 192.168.x.x/24 subnet) - pings to all devices work fine as well.

now if i DONT use IPSEC on the client side (and again, i confirm that MPPE128 is the encryption shown on the server side), RX or TX BW tests work fine , as usual. – see my copy/paste below:

[admin@LAPTOP_BAG_MT_hAPacLITE] > too bandwidth-test address=192.168.4.210 protoco
l=tcp direction=receive tcp-connection-count=2
status: running
duration: 53s
rx-current: 12.0Mbps
rx-10-second-average: 9.2Mbps
rx-total-average: 9.2Mbps
random-data: no
direction: receive

[admin@LAPTOP_BAG_MT_hAPacLITE] > too bandwidth-test address=192.168.4.210 protoco
l=tcp direction=transmit tcp-connection-count=2
status: running
duration: 61s
tx-current: 0bps
tx-10-second-average: 0bps
tx-total-average: 0bps
random-data: no
direction: transmit

Ive tried resetting the hap AC lite, with no-defaults=yes and starting over, but the result im seeing is the exact same. also tried lowering the client side MTU / MRU - still same

Any ideas? (or maybe this is a bug?) - i do have another mt VPN-client on this same VPN-server also using the same IPSEC , and that device has no issue running RX or TX BW tests to any of the other VPNs.

tks

mrz · April 3, 2017, 10:35am

It is an MTU problem. Set up change MSS rules to lower TCP MSS.

jo2jo · April 3, 2017, 11:32pm

that has already been in place… even tried lowering MTU / MRU on client side and rebooting both sides.. see attached for proof (note the D bc of the ppp profile creating the rule).

top is server, bottom is client side (in img)

EDIT: see my reply below this one, it was a MTU/MRU - just needed to be unusually low, in this specific ISP / case.

jo2jo · April 3, 2017, 11:39pm

well, it was infact a MTU / MRU issue, i tried lowering the client side (l2tp-client interface) to 1300/1300 mtu/mru and the BW test works. I had stopped around 1380 when trouble shooting earlier (and lowering it incrementally and testing, but for some reason it needed to be REALLY low- so maybe its the ISP im using here on the road that has a weird config.)

thanks for the help/reply MT support!