Hey All,
Got an issue where throughput is approximately 2-3 times slower over an L2TP tunnel when using IPSec vs using L2TP without IPSec. I’ve got an RB3011 on one side and a CCR 1009 at the other site. When I run an L2TP tunnel without IPSec I can pull 30-50mps though the tunnel, when I enable IPSec throughput drops to 9-14mbps. I don’t think CPU is the issue, as the CCR has 1-2% CPU use with IPSec and the RB3011 has only around 60% CPU (Note the RB3011 is pushing a lot of traffic and CPU generally hovers around 50% so only a 10% increase in CPU usage with IPSec). On the CCR side I have a 100/20 bonded DSL connection and the RB3011 is in a colo with a 1gbs Ethernet connection (500mbps bandwidth). Any Ideas on how to improve IPSec performance?
Do you have RouterOS 6.39.1 on the CCR?
What kind of systems do you have behind the routers to test this performance?
Both routers are on version 6.39.1.
I am copying data to an NFS share (behind the CCR1009) from an ESXi Server (behind the RB3011) when I notice the performance degradation.
Is the size of the packets optimized for the MTU?
When it is NFS over TCP, make sure you have an MSS clamping rule in the Mangle forward table.
With NFS over UDP, you will have to somehow set the packet size to 1400 instead of the default 1500.
NFS is using TCP. Is this the correct rule to place in the mangle table:
chain=forward action=change-mss new-mss=1400 passthrough=yes tcp-flags=syn protocol=tcp out-interface= log=no log-prefix=“”
Yes that should work… but the 1400 mss may be too large. I normally use “new-mss=clamp-to-pmtu” so no need to calculate.
You can also do a short capture to verify that you only see only full-size segments and no fragments.