L2TP VPN delay

duncanwebb · November 10, 2017, 9:23am

Hi,

We have a set up where a van containing a number of machines is a rack travels to a venue and we would like to connect this to the office. We would like the operators in the van to be able to access services at the office and staff in the office to be able to access the machines in the van. We reckon that the best VPN for this situation is to use L2TP and have used the following as a guides to configure the routers. It is only router in the vans that will initiate the connection and we have a static IP for the office. When the van is not travelling the rack is in the office and connected to the office LAN.

https://wiki.mikrotik.com/wiki/VPN_(any_type)_between_2_Mikrotik_routers_and_no_static_IP_addresses
https://www.mikrotik.com/testdocs/ros/3.0/vpn/l2tp.pdf

Everything is working fine when the rack is connected to an external internet (we’re using an 3G modem to as the external internet), ping times between the routers and hosts on each subnet are fine. We can ssh to the machines on either both sides of the VPN no problem and the expected response times.

When the router in the rack is connected to the office LAN via the routers WAN port then ping times are fine but any connection to a TCP port is suffering from a six second or longer delay. A simple timing test was to use https://gist.github.com/1kastner/e083f9e813c0464e6a2ec8910553e632 and connect to the service with curl or a browser.

Can anyone help us solve this delay problem?

TIA
Duncan

duncanwebb · December 8, 2017, 10:39am

Hi All,

After a bit of research and packet tracing we have resolved that the problem is not L2TP but it is caused by cascading the routers.

hEX looks like this:
eth1 static IP address/25
eth2 has the IP 192.168.50.3/24 serves the IP range 192.168.50.100-150

RB 3011 like this:
eth1 192.168.50.100/24 from hEX
eth2 has the IP 192.168.40.1 and serves the IP range 192.168.40.100-150

On the hEX we have a workstation running Linux with the IP 192.168.50.144/24
On the RB 3011 we have another workstation with the IP 192.168.40.149/24

We execute “time curl http://192.168.40.1” from the Linux host to the router and it takes 6.5 seconds to respond.

What seems to be happening is that the Linux workstation sends a SYN packet to the RB 3011 router through the hEX router and the SYN,ACK is coming back directly to the
workstation from RB 3011.

SYN 192.168.50.144 → 192.168.50.3 → 192.168.50.100/192.168.40.1
ACK 192.168.40.1/192.168.50.100 → 192.168.50.144

However it is not always consistant as anther workstation with the IP 192.168.50.130/24 goes like this:

SYN 192.168.50.130 → 192.168.50.100/192.168.40.1
ACK 192.168.40.1/192.168.50.100 → 192.168.50.130

The same thing happens when connecting to the worstation at 192.168.40.149.

I hope someone can help solve this
Best
Duncan