I have a site to site VPN between a Wachtguard Firewall and a Mikrotik Hex Router, connected without problems via IKEv1 in tunnel mode with IPSec in Tunnel mode.
The ping from the Mikrotik subnet → towards the Watchguard Firewall subnet is executed correctly with a constant speed of 28 ms without interruptions TTL=126
The problem I have is when I connect via Remote Desktop from the Mikrotik headquarters to the server where the Watchguard Firewall is located.
The speed is very very slow, and the connection quality is poor. Disconnects from set slow.
I have tried to configure with IKEv2 in a way with another encryption protocol in PHASE1 and PHASE2 with identical results.
Also to rule out, I have configured with Firewall Wachguard headquarters A and remote headquarters B and the RDP connection is established correctly and smoothly.
I have increased the UDP connection tracking time to 20 seconds, but with identical results.
OS version is 6.49.7
I’m new to MIkrotik and I can’t find any clue that I can solve, thanks!
Hi, it’s a production environment and we only need RDP communication, since our users work with access to the terminal server throughout the infrastructure.
Anav:
There should not be a problem to use RDP when using an IPSEC tunnel.
It’s RDP which connects directly to an open port which would worry me (I have it seen being misused by ransomware with the client I am working for due to negligence of former IT responsible, luckily we had very good backup systems and proper segregation of systems).
OP:
Wireguard is only a protocol to set up the tunnel so IPSEC or WG, doesn’t make a difference for your users (provided Watchguard box is able to terminate WG ?? The last time I saw one, it couldn’t but it was not a very recent one so maybe they can now ?)
What speed are we talking about between those two sites over IPSEC ? What should be possible ?
You say you already tested using 2 Watchguards, why not keep those ?
Have you considered moving Hex to ROS7 (7.6 at least) ?
IPSEC HW support was added in ROS7 for MMIPS devices (with latest corrections as of 7.6).
If IPSEC can be handled by HW, you should see a performance improvement.
(see this table for specific info: https://help.mikrotik.com/docs/display/ROS/IPsec#IPsec-Hardwareacceleration)
OTOH if this is a corporate environment, I’m a bit confused why you use Hex for this (so it seems) important part of the connection.
It’s a good SOHO router (a very good one, if you ask me) but it has its limitations (hence the low price).
You may be in need of something beefier (more dedicated towards IPSEC comm. then).
Or reconsider the setup for that tunnel and move to wireguard or something else. Depending on speed, 2 Hexes can be used for a WG tunnel with decent speed
My view.
Hi, we value the MIkrotik option in less complex scenarios and for clients who do not want to invest in a much more valuable product in the case of Wachtguard. And if it is possible to communicate them between MIkrotik and Firewall WatchGuard with IPSEC protocol. I’m thinking that it could be the marked connections that Mikrotik uses to verify the traffic…
