RB3011 IPSec throughput

RouterOS General
1

Hi,

I set up a RB3011 running RouterOS 4.46.1with an IPSec connection to a linux VM with strongswan, but the throughput stays well below the specification. I reach about 170MBit/s through the tunnel (iperf3 -P10). Without the tunnel, I get about 700MBit/s. Using aes256-sha256, aes128-sha256 or aes128-sha1 does not make a substantial difference, so I guess hardware offloading works. During the test, CPU usage is about 45% with one core at about 60%. On the other side, the load stays at about 0.01.
I ordered the firewall rules so that they start with
add action=accept chain=forward protocol=icmpv6
add action=accept chain=forward dst-address=2001:db8:1::/62 ipsec-policy=in,ipsec src-address=2001:db8:2::/56
add action=accept chain=forward dst-address=2001:db8:2::/56 ipsec-policy=out,ipsec src-address=2001:db8:1::/62
with 2001:db8:1::/62 being the local net and 2001:db8:2::/56 the remote net.
Therefore, I assume that at most three rules are matched before the packet is accepted. Input rules for esp and ike are also the first ones. As the throughput without IPSec is substantially higher, firewall processing should not be the issue anyway…
Is there anything I missed or is the spec just over optimistic by a factor of five?

Best regards,
Jan-Martin

2

Official test results state IPsec performance, which theoretically should reach almost 800Mbps. However, the problem with these tests (and that fact is mentioned as comment below tables) is that it’s synthetic test.
Experience regarding routing performance is, that the number most relevant for real-life performance, is the “Routing - 25 ip filter rules - [ packet size ] 512 bytes”. (BTW, it seems to work for your case as well, test result says ~800Mbps.)
I don’t know if the very same rule applies for IPsec performance as well, but if applied, then 300Mbps pops out. But: it seems that hw can only handle around 70kpps and I guess that’s full duplex (Rx has to be decrypted). When running TCP tests (default for iperf3), there are many tiny packets flowing in the other direction (ACKs), can be up to the same rate as forward flow. If that’s the case, then realistic goodput is half of maximum, which is something like 150Mbps.

Which is approximately what you get.