VPN with high latency (220ms RTT)

Hi.

We have 220ms R.T.T. between Malaysia and England.

Any tips for VPN passing SMB? We’re using pure IPSec (no l2tp or other tunnel). It’s working, but on SMB in particular, it seems to transfer, then stall, then pick up again, then stall. Never getting more than ~3mbps out of a 10mbps line (in Malaysia.) We have 100mbps in England.

It is not possible to alter the tcp window size on Windows. You have to allow it to adjust itself, so I’m a bit stuck there.

MSS is clamped to 1320 on the Mikrotik routers (Hex 750gr3 in Malaysia, and rb3011 in UK, soon to be swapped with the new 1100ahx4).

Are there any tips for optimizations I can do? The IPSec tunnel is UDP, but obviously we are passing TCP inside the tunnel. I think maybe some kind of wan optimizer might help but there’s nothing open source that I can try. There’s WanOS but this is limited to 6mbps unless you pay lots of money for it.

The workstation I have been testing with is Windows 10, latest build, and the server is Windows Server 2008 (not R2), but I have also tried a Windows Server 2016 machine and the results are no different, if not worse actually.

I am experimenting with throttling the UK side, where we have 100mbps Internet and where the SMB server is located. I am trying to throttle it back to the ~5mbps that the far end can usually receive. i.e. packet pacing.


What I am seeing is that Server 2016 is barely unusable, Server 2008 is OK but stalls a lot, Samba 4.7.3 on Linux 4.13.16-302 (fedora 27) works better than both.
Usually the speeds will incease and then die, then it takes some time to recover. The Windows Server 2016 takes a long time to recover, with xfer rate sitting at 0kb/s. 2008 recovers after ~30 seconds. Linux recovers immediately.

My advice - use a CHR.
MT hardware routers have a issue with speed on vpn high latency link: http://forum.mikrotik.com/t/slow-speed-through-gre-ipsec-tunnel/128714/1