Hi everyone!

We have asked our supplier about month ago for the Mikrotik device with IPSec AES128 thoughput about 100-140 Mbit/s. He told us that RB1200 (in specification IPSec AES device is hardware accelerated) is replacement of RB1100 (now I understand that replacement of RB1100 is RB1100AH ). We have bought 2 x RB1200 devices to create EoIP tunnel over IPSec with AES128. After configuration performance is honorable: about 7 Mbit/s and latency 25-27 ms. We have latest OS 5.8. I would like to find out how to solve this problem.

Thank you.

How big packets and what was the configuration?

I have tested performance with iperf with default settings. Screenshots are in attachment. Performance more then 100 Mbit is with turned off IPSec. With turned on 5 Mbit/s.

Scheme:

iPerf Client (HP Notebook with Windows Vista) -> RB1200 -> RB1200 -> iPerf Server (Dell R610 with Windows Server 2008 R2)

IPSec Settings:

[admin@MT_250] > /ip ipsec export

jan/02/1970 02:24:43 by RouterOS 5.8

software id = LG2K-SM1D

/ip ipsec proposal
set default auth-algorithms=sha1 disabled=no enc-algorithms=3des lifetime=30m
name=default pfs-group=modp1024
add auth-algorithms=sha1 disabled=no enc-algorithms=aes-128 lifetime=30m
name=proposal-aes pfs-group=modp1024
/ip ipsec peer
add address=10.100.10.2/32 auth-method=pre-shared-key dh-group=modp1024
disabled=no dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=aes-128
exchange-mode=main generate-policy=yes hash-algorithm=sha1 lifebytes=0
lifetime=1d my-id-user-fqdn="" nat-traversal=no port=500 proposal-check=
obey secret=********* send-initial-contact=yes
/ip ipsec policy
add action=encrypt disabled=no dst-address=10.100.10.2/32 dst-port=any
ipsec-protocols=esp level=require priority=0 proposal=proposal-aes
protocol=all sa-dst-address=10.100.10.2 sa-src-address=10.100.10.1
src-address=10.100.10.1/32 src-port=any tunnel=no

Bridge settings

/interface bridge
add admin-mac=00:00:00:00:00:00 ageing-time=5m arp=enabled auto-mac=yes comment="Local Network"
disabled=no forward-delay=15s l2mtu=1598 max-message-age=20s mtu=1500 name=bridge-local priority=
0x8000 protocol-mode=none transmit-hold-count=6
/interface bridge port
path-cost=10 point-to-point=auto priority=0x80
add bridge=bridge-local disabled=no edge=auto external-fdb=auto horizon=none interface=eoip-local
path-cost=10 point-to-point=auto priority=0x80
add bridge=bridge-local disabled=no edge=auto external-fdb=auto horizon=none interface=ether5
path-cost=10 point-to-point=auto priority=0x80
of course
EoIP Settings

/interface eoip
add arp=enabled disabled=no l2mtu=65535 local-address=0.0.0.0 mac-address=02:FE:CD:31:91:49 mtu=1500
name=eoip-local remote-address=10.100.10.2 tunnel-id=100

The same configuration is on the second router (restored backup from 1st router with corrections of course).

server.jpg615×394 125 KB

client.jpg606×249 39.8 KB

Hi everyone!

I wonder if I’m alone with this issue? Or I have some kind of misconfiguration?

What is real performance with RB1200 boxes? Does anyone tested IPSEC with AES encryption throughput?

Please help!

Thank you!

On Rb1200 (AES-128) you can get max 65Mbps (UDP with 1450 byte packets). TCP will be much slower ~40Mbps.

Thank you for reply!!!

So if the throughput of RB1200 with AES-128 is 65Mbit/s in UDP what encryption algorithm or VPN type (PPTP or openVPN etc) I should select to achieve ~120 Mbit/s performance or it is not possible with this kind of device? And if it is not possible with RB1200 what device I should select to make it possible?

Thank you!

RB1100AH will handle 120Mbps encrypted traffic.

Now clear. I’ll try to get new RB1100AH devices for tests.

Thank you!

Hi!

I have got two RB1200AHx2 devices few days ago. We have configured them the same as RB1200 and now encrypted traffic throughput is almost 200Mbit/s. Thank you for recommendations mrz