VPN over IPSec IKE2 - Extremely Slow speeds

henkisdabro · May 27, 2020, 8:27am

Hi again everyone.

I have successfully followed Nikita Tarikin’s excellent video presentation on setting up my Mikrotik (hAPac^2) to accept VPN connections from my macbookpro and iphone 8plus over IKE2. I believe I have followed all steps properly and I manage to establish a connection on both my devices and also reach my mikrotik through them. However, it seems that regardless of which mangle/NAT rules I choose (Nikita showed a few examples) and also firewall rule order, the speed is horribly slow and I can’t figure out why. The goal is (obviously) to be able to connect to my home router from a remote location, securely over IKE2 and be able to access my home network - and still retain as high speeds as possible.

I found a forum post that recommend to move the ipsec rules above/before the fasttrack forward rule, but that did not help. I would appreciate any guidance on how to troubleshoot this!
I’m using the Mikrotik DDNS “Cloud” feature to connect via. (I redacted my address for the forum post - b4xREDACTEDx23.sn.mynetname.net)
I have another (outgoing) NordVPN connection as well, that is not the scope of this post, I have also disabled it I believe, but please check if it is conflicting with my IKE2 VPN

Below are my settings, thanks in advance for any recommendation, let me know if you need more detail!

/ip firewall address-list
add address=192.168.0.0/24 comment="entire network - during installation only, then disable" disabled=yes list=support
add address=192.168.0.100 comment="macbook pro ethernet" list=support
add address=192.168.0.105 comment="macbook pro wifi" list=support
add address=192.168.0.241 comment="devices linked to the VPN tunnel, as per Mikrotik-authored article on nordvpn.com" list=tunnel_NordVPN_MY
add address=10.0.88.0/24 comment="IPSec Connected Clients" list=support

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="Router Access to certain devices" in-interface-list=LAN src-address-list=support
add action=drop chain=input comment="Drop spoofed DNS requests over UDP" connection-state=new dst-port=53 in-interface-list=WAN protocol=udp
add action=drop chain=input comment="Drop spoofed DNS requests over TCP" connection-state=new dst-port=53 in-interface-list=WAN protocol=tcp
add action=accept chain=input comment="Accept DNS - UDP" in-interface-list=LAN port=53 protocol=udp
add action=accept chain=input comment="Accept DNS - TCP" in-interface-list=LAN port=53 protocol=tcp
add action=accept chain=input comment="IKE2: Allow ALL incoming traffic from 10.0.88.0/24 to this RouterOS" ipsec-policy=in,ipsec src-address=10.0.88.0/24
add action=accept chain=input comment="Allow UDP 500,4500 IPSec" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="Allow IPSec-esp" protocol=ipsec-esp
add action=drop chain=input comment="Drop All Else"
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="IKE2: Allow ALL forward traffic from 10.0.88.0/24 to HOME network" disabled=yes dst-address=192.168.0.0/24 ipsec-policy=in,ipsec \
    src-address=10.0.88.0/24
add action=accept chain=forward comment="IKE2: Allow ALL forward traffic from 10.0.88.0/24 to ANY network" disabled=yes dst-address=0.0.0.0/0 ipsec-policy=in,ipsec src-address=\
    10.0.88.0/24
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=accept chain=forward comment="internet access" in-interface-list=LAN out-interface-list=WAN
add action=drop chain=forward comment="Drop all else"

/ip firewall mangle
add action=change-mss chain=forward comment="IKE2: Clamp TCP MSS from 10.0.88.0/24 to ANY" new-mss=1280 passthrough=yes protocol=tcp src-address=10.0.88.0/24 tcp-flags=syn \
    tcp-mss=!0-1280
add action=passthrough chain=forward comment="ipsec out passthrough for counting" ipsec-policy=out,ipsec protocol=tcp
add action=passthrough chain=forward comment="ipsec in passthrough for counting" ipsec-policy=in,ipsec protocol=tcp
add action=set-priority chain=postrouting comment="Set DSCP to interface priority for WMM" disabled=yes new-priority=from-dscp-high-3-bits passthrough=yes

/ip firewall nat
add action=src-nat chain=srcnat comment="SRC-NAT IKE2:10.0.0.88.0/24 --> ether1 traffic" out-interface=ether1 src-address=10.0.88.0/24 to-addresses=0.0.0.0/0
add action=masquerade chain=srcnat comment="MSQRD IKE2:10.0.88.0/24 --> WAN traffic" disabled=yes ipsec-policy=out,none out-interface-list=WAN src-address=10.0.88.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface=Unifi
add action=dst-nat chain=dstnat dst-port=8080 in-interface=Unifi protocol=tcp to-addresses=192.168.0.100 to-ports=8080

/ip ipsec mode-config
add name=NordVPN responder=no src-address-list=tunnel_NordVPN_MY
add address-pool="pool b4xREDACTEDx23.sn.mynetname.net" address-prefix-length=32 name="modeconf b4xREDACTEDx23.sn.mynetname.net" split-include=0.0.0.0/0 static-dns=10.0.88.1 \
    system-dns=no
    
/ip ipsec policy group
add name=NordVPN
add name="group b4xREDACTEDx23.sn.mynetname.net"

/ip ipsec profile
add name=NordVPN
add dh-group=modp2048,modp1536,modp1024 enc-algorithm=aes-256,aes-192,aes-128 hash-algorithm=sha256 name="profile b4xREDACTEDx23.sn.mynetname.net"

/ip ipsec peer
add address=my22.nordvpn.com disabled=yes exchange-mode=ike2 name=NordVPN profile=NordVPN
add exchange-mode=ike2 name="peer ipsec vpn" passive=yes profile="profile b4xREDACTEDx23.sn.mynetname.net"

/ip ipsec proposal
add disabled=yes name=NordVPN pfs-group=none
add auth-algorithms=sha512,sha256,sha1 enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-128-ctr,aes-128-gcm lifetime=8h name=\
    "proposal b4xREDACTEDx23.sn.mynetname.net" pfs-group=none
    
/ip ipsec identity
add auth-method=eap certificate="" disabled=yes eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=NordVPN password=\
    6yH6mpUav4kjG9BcM8kNaVsfzLQ4PccpU9jkuJri87H9ZHyP peer=NordVPN policy-template-group=NordVPN username=nordvpn@henriksoderlund.com
add auth-method=digital-signature certificate=b4xREDACTEDx23.sn.mynetname.net comment="VPN IPSEC/IKE2 connection identity for c2 client (iPhone 8 Plus)" generate-policy=\
    port-strict match-by=certificate mode-config="modeconf b4xREDACTEDx23.sn.mynetname.net" peer="peer ipsec vpn" policy-template-group="group b4xREDACTEDx23.sn.mynetname.net" \
    remote-certificate=c2@b4xREDACTEDx23.sn.mynetname.net remote-id=user-fqdn:c2@b4xREDACTEDx23.sn.mynetname.net
add auth-method=digital-signature certificate=b4xREDACTEDx23.sn.mynetname.net comment="VPN IPSEC/IKE2 connection identity for c1 client (macbook pro)" generate-policy=port-strict \
    match-by=certificate mode-config="modeconf b4xREDACTEDx23.sn.mynetname.net" peer="peer ipsec vpn" policy-template-group="group b4xREDACTEDx23.sn.mynetname.net" \
    remote-certificate=c1@b4xREDACTEDx23.sn.mynetname.net remote-id=user-fqdn:c1@b4xREDACTEDx23.sn.mynetname.net
    
/ip ipsec policy
add dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=0.0.0.0/0 template=yes
add comment="IPSec Policy Template b4xREDACTEDx23.sn.mynetname.net" dst-address=10.0.88.0/24 group="group b4xREDACTEDx23.sn.mynetname.net" proposal=\
    "proposal b4xREDACTEDx23.sn.mynetname.net" src-address=0.0.0.0/0 template=yes

/ip pool
add name=dhcp_pool1 ranges=192.168.0.100-192.168.0.240
add comment="For IPSEC/IKE2 connected clients" name="pool b4xREDACTEDx23.sn.mynetname.net" ranges=10.0.88.2-10.0.88.254

/ip address
add address=192.168.0.1/24 comment=defconf interface=bridge network=192.168.0.0
add address=10.0.88.1/24 comment="For IPSEC/IKE2 connections" interface=bridge-loopback network=10.0.88.0

/interface bridge
add name=IPTV protocol-mode=none
add name=bridge-loopback

henkisdabro · June 10, 2020, 5:57am

Can I provide further details or information to encourage responses? Let me know what I can clarify to help you see what is going on. Thankful for any guidance, or simply pointing in the right direction!