sgfdhsg
February 22, 2022, 3:34pm
1
Hi guys,
I have a Mikrotik RB4011 as an IPSEC client. The IPSEC server is a Fortigate 100F.
/ip ipsec profile> print
Flags: * - default
0 * name="default" hash-algorithm=sha1 enc-algorithm=aes-128,3des
dh-group=modp2048,modp1024 lifetime=1d proposal-check=obey
nat-traversal=yes dpd-interval=2m dpd-maximum-failures=5
1 name="Fortigate_profile" hash-algorithm=sha1 enc-algorithm=aes-128
dh-group=modp2048 lifetime=1d proposal-check=obey nat-traversal=yes
dpd-interval=2m dpd-maximum-failures=5
/ip ipsec> policy print
Flags: T - template, B - backup, X - disabled, D - dynamic, I - invalid, A - active, * - default
# PEER TUN SRC-ADDRESS DST-ADDRESS
1 A Fortigate.. yes x.x.x.x y.y.y.y
/ip ipsec> proposal print
1 name="Fortigate" auth-algorithms=sha1 enc-algorithms=aes-128-cbc lifetime=30m pfs-group=modp2048
/ip ipsec> peer print
Flags: X - disabled, D - dynamic, R - responder
0 name="Fortigate" address=a.a.a.a local-address=b.b.b.b profile=Fortigate_profile
exchange-mode=main send-initial-contact=yes
/ip ipsec> identity print
Flags: D - dynamic, X - disabled
0 peer=Fortigate auth-method=pre-shared-key secret="somekey" generate-policy=no
/ip ipsec> profile print
Flags: * - default
1 name="Fortigate_profile" hash-algorithm=sha1 enc-algorithm=aes-128 dh-group=modp2048 lifetime=1d
proposal-check=obey nat-traversal=yes dpd-interval=2m dpd-maximum-failures=5
Do you have any idea? Fortinet support does not have any solution…
Thanks,
Sob
February 22, 2022, 6:07pm
2
Do you perhaps have fasttrack in your firewall?
Van9018
February 23, 2022, 2:54am
3
Some things you can try to narrow down the issue:
Go to Tools > Profiler, are any processes using high CPU during your test?
Kentzo
February 23, 2022, 3:18am
4
I believe some of the ipsec prints (active-peer?) can show whether encryption is hardware offloaded.
If both sides have a public IP on their wan interfaces, turn off NAT-Traversal.
I wonder how that can affect performance. That’s just 2 extra payloads on a phase 1 handshake.
Van9018
February 23, 2022, 5:27am
5
With NAT-T enabled, all IPSec packets will be wrapped in a UDP packet. A packet capture would show if fragmenting is happening. Although I would not expect fragmenting to cause such a drastic performance penalty.
sgfdhsg
February 23, 2022, 7:48am
6
Yes I do have fasttrack connection. Does it matter?
sgfdhsg
February 23, 2022, 7:50am
7
Some things you can try to narrow down the issue:
Go to Tools > Profiler, are any processes using high CPU during your test?
I don’t think this is a CPU issue:
sgfdhsg
February 23, 2022, 7:52am
8
Yes NAT Traversal is turned on, but I don’t think that cause the problem.
/ip ipsec> active-peer print
Flags: R - responder, N - natt-peer
# ID STATE UPTIME PH2-TOTAL
0 R established 45m54s 2
Sob
February 23, 2022, 7:36pm
9
https://wiki.mikrotik.com/wiki/Manual:IP/Fasttrack:
FastTracked packets bypass firewall, connection tracking, simple queues, queue tree with parent=global, ip traffic-flow(restriction removed in 6.33), IP accounting, IPSec , hotspot universal client, VRF assignment, so it is up to administrator to make sure FastTrack does not interfere with other configuration;
You may have other firewall rules that exclude IPSec traffic from FastTrack, but if you temporarily disable the rule, it’s the quick and simple test.
sgfdhsg
February 25, 2022, 8:20am
10
Thank you, the mikrotik support team answered the same. I’m gonna try this: https://help.mikrotik.com/docs/display/ROS/IPsec#IPsec-NATandFasttrackBypass
