VXLAN inside L2TP+IPSec

gotsprings · October 27, 2022, 11:16am

New to VXLANs. But I am always curious to play with things that transport BUM.

Since VXLAN has no encryption… and it requires IPs as endpoints… I figured well I can jam that in side a L2TP+IPSec Tunnel?
I mean… If I have to go across the internet… I SHOULD secure that somehow.

Using straight port forwarding… I was getting over 200M between two hAP AC2s using VXLAN.
Once I put the VXLAN inside the L2TP Tunnel… I drop down to about 50M.

I set up one SSID to bridge with that VXLAN… Connected my phone and I get an IP address from the other side.
I can see and control Sonos. (Broadcast traffic)

Better ways to do this???

osc86 · October 27, 2022, 4:06pm

I’m using VxLAN over wireguard between two hap ac2, but it’s not that much faster.

[SUM]   0.00-10.00  sec  83.2 MBytes  69.8 Mbits/sec                  sender
[SUM]   0.00-10.00  sec  82.8 MBytes  69.5 Mbits/sec                  receiver

chechito · October 27, 2022, 4:53pm

maybe using only ipsec, to take advantage of hardware accelerated ipsec, and fast-track

osc86 · October 27, 2022, 5:06pm

fasttrack is not available on hap ac2, and ipsec hw acceleration, at least in the tests I’ve done, never really made a significant difference in terms of throughput.
Nevertheless it’s worth trying, maybe you’ll get a few extra Mb/s.
Edit: to correct my post, fasttrack is only available for wireless interfaces on this device. However this doesn’t really matter because most of the cpu ressources are used for encapsulating/decapsulating and encrypting/decrypting packets, not so much for plain routing and firewalling.

smyers119 · October 27, 2022, 7:46pm

Well seems ipsec/l2tp/vxlan = 50Mb, and wireguard/vxlan = 70Mb.

Last thing to try is ipsec/gre/vxlan.

then pick whatever is the fastest.