Community discussions

MUM Europe 2020
 
Rafaidea
just joined
Topic Author
Posts: 2
Joined: Wed Mar 27, 2019 6:36 pm

Slow L2TP/IPSEC. ¿Is HW acceleration being used?

Wed Mar 27, 2019 7:44 pm

Hello Mikrotik forum users! First post here, let's see if you can give me a hand.

I have a Mikrotik Routerboard HEX S. The main reason I bought this device is because of HW acceleration in IPSEC. I plan to deploy a LAN to LAN between two residences in the future, and throughput is going to be important.

Nowadays I have the HEX S connected to the ISP, and handling PPPoE. It works great, and I get all the speed that I am paying for (300/300 Mbps) without the CPU even suffering :-).

I have also configured an L2TP/IPSEC server, which I am connecting to from endpoint devices (native MacOS and iOS clients). I use it regularly and works great, but IMO the performance is quite slow. I am getting via Speedtest and fast.com (I know it is not the preferred method...) around 40 - 60 Mbps whenever I am connected to the VPN, regardless of the client used. Yes, I checked the throughput from sites guaranteed to have a much higher available bandwidth.

At that 40-60 Mbps the CPU0 maxes out, so I am guessing that is the bottleneck. ¿How can I know if the encryption is being handled completely on the CPU0 instead of being offloaded to the specific chip? I am using encryption supported according to this table: https://wiki.mikrotik.com/wiki/Manual:I ... celeration. It looks like it is not being offloaded.

Let me share some config and status info, and lets hope you can recommend me some things to try and optimize the throughput. Keep in mind that I am not using any complicated firewall rules (fasttrack is enabled, and the VPN connections are being fastracked), and no other services to burden the CPU, so I think I should expect some more throughput. I am getting better VPN throughput from a much older and somewhat cheaper router from other brand!

I would gladly accept to tinker with the config, but as L2TP/IPSEC is native to endpoints on both iOS and macOS, that is the preferred method.

--
[admin@MikroTik] > ppp profile print
3 name="l2tp-ipsec-profile" local-address=192.168.31.2 remote-address=dhcp-vpn-L2TP use-mpls=default use-compression=no use-encryption=required only-one=default change-tcp mss=yes use-upnp=no address-list="" dns-server=8.8.8.8 on-up="" on-down=""
--

--
[admin@MikroTik] > ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default
0 T * group=default src-address=0.0.0.0/0 dst-address=0.0.0.0/0 protocol=all proposal=IPSEC_optimizar template=yes

1 DA src-address=88.25.89.XX/32 src-port=1701 dst-address=88.15.246.XX/32 dst-port=56989 protocol=udp action=encrypt level=unique ipsec-protocols=esp tunnel=no
proposal=IPSEC_optimizar ph2-count=1
--

--
[admin@MikroTik] > ip ipsec proposal print
Flags: X - disabled, * - default
0 * name="default" auth-algorithms=sha1 enc-algorithms=aes-128-cbc lifetime=30m pfs-group=none

1 name="IPSEC_optimizar" auth-algorithms=md5 enc-algorithms=aes-128-cbc lifetime=30m pfs-group=none
--

--
[admin@MikroTik] > ppp active print
Flags: R - radius
# NAME SERVICE CALLER-ID ADDRESS UPTIME ENCODING
0 USERXXXX l2tp 88.15.246.XX 192.168.31.8 10m19s cbc(aes) + hmac(md5)
--

Thanks!
 
fbi
newbie
Posts: 26
Joined: Fri Nov 04, 2011 11:38 am
Location: Miskolc, Hungary

Re: Slow L2TP/IPSEC. ¿Is HW acceleration being used?

Mon Apr 01, 2019 9:34 pm

Hello!

If you want to know whether you use hardware accelerated ipsec or not, just check:
/ip ipsec installed-sa print
If you see the H flag, it means the ipsec connection is hardware accelerated, otherwise the CPU handles it.
A tip for the throughput problem: Try to disable fast-track rules in your firewall. You can find here several forum topic about it, where the solution was this.

Regards.
 
Rafaidea
just joined
Topic Author
Posts: 2
Joined: Wed Mar 27, 2019 6:36 pm

Re: Slow L2TP/IPSEC. ¿Is HW acceleration being used?

Thu Apr 25, 2019 6:31 pm

Hi fbi, thank you very much for your help.

From the output, I confirmed that in theory hardware acceleration is being used. I also disabled the fastrack rule and speed did not improve, it is quite disappointing :-(.

I would love to know what speed are other users getting from HEX / HEX S platforms. Let's see if I am lucky and some of them find this post.

Rafael.
 
Paternot
Long time Member
Long time Member
Posts: 615
Joined: Thu Jun 02, 2016 4:01 am
Location: Niterói / Brazil

Re: Slow L2TP/IPSEC. ¿Is HW acceleration being used?

Fri Apr 26, 2019 3:59 am

scp between hosts. L2TP/IPSec.
One router is an RB1100AHx2. The other is a 750Gr3 (hEX).

Result:
100% 945MB 6.0MB/s 02:36 (my internet is 60 Mbps up and down, so I can't ask for much more than this)

CPU usage was about 40% in two "cores" (threads, really), with the other two at about 15%.
== EDIT: the CPU usage is from the hEX. ==

One thing I did: the L2TP MTU is set to 1380 (my internet is via PPPoE). Fragmentation is a killer.

Who is online

Users browsing this forum: No registered users and 48 guests