Packet loss on EoIP/IPSec

royolsen · July 9, 2013, 7:05pm

I have set up a basic EoIP/IPSec tunnel between two 1100ahx2 with RouterOS 5.25. Everything looks just peachy, except that I seem to experience about 20% packet loss on icmp echo over the encrypted link. Pinging from Host1 to Host2, MT2 or MT4 shows packet loss, while pinging MT1 or MT3 does not. Is this to be expected?

Additionally, I’m seeing just over 600 Mbps throughput on BTest (UDP packet size 1500) between MT3 and MT4, expected throughput was somewhere above 800 Mbps. I have implemented the configuration described in the hardware encryption section of the IPSec article on the Wiki: http://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Hardware_encryption. Any additional configuration required to reach the 820 Mbps described in the article, or is this an expected consequence of the EoIP encapsulation?

edit>

It seems the packet loss is related to IPSec packets arriving out of sequence.

 in-state-sequence-errors: 15960508

royolsen · October 7, 2013, 9:09am

bump?

tomaskir · October 7, 2013, 11:05am

The performance degradation you get is because of EoIP.

Also remember, since doing EoIP and IPSec, a lot of packet fragmentation will occur, and fragmenting and reassembling the packets takes a toll on the CPUs as well.
I would say try to adjust the MTU of the EoIP tunnel so that no fragmentation needs to be performed on the routers.

As to the packet loss, post your configs.