Community discussions

 
User avatar
sjafka
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 74
Joined: Wed Jan 03, 2018 5:45 pm

L2TP IPSec speed

Wed May 30, 2018 3:24 pm

Dear MikroTik Community,


i"ve set up an l2tpipsec vpn, but the speed is really slow, what should i check?


Thank you in andvance!
 
User avatar
sjafka
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 74
Joined: Wed Jan 03, 2018 5:45 pm

Re: L2TP IPSec speed

Wed May 30, 2018 3:41 pm

Dear MikroTik Community,


i"ve set up an l2tpipsec vpn, but the speed is really slow, what should i check?


Thank you in andvance!
i searched and found a forum, where they said, lowering MRU did for them, so for me. Whats the impact now, thath i lowered MRU? Could someone pls explain?
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24206
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: L2TP IPSec speed

Thu May 31, 2018 9:46 am

Some devices have special IPsec acceleration hardware built in. Like the hEX, new cAPac, new hAP ac^2
No answer to your question? How to write posts
 
User avatar
sjafka
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 74
Joined: Wed Jan 03, 2018 5:45 pm

Re: L2TP IPSec speed

Thu May 31, 2018 11:12 am

Thank you guys, for your answer, ill check later out, my college has an ac2, ill try out, but on a RB2011UiAS i get somewhat about 500kbit/sec, is it normal(so i should just check out other HW), or should i check things out in my config (if yes, what would u check out?) Thank you in advance!
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24206
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: L2TP IPSec speed  [SOLVED]

Thu May 31, 2018 11:18 am

IPsec is very CPU intensive. You need either a powerful machine, or IPsec acceleration chip. RB2011 is an older device, it may not be as powerful for IPsec at higher speed.
No answer to your question? How to write posts
 
User avatar
sjafka
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 74
Joined: Wed Jan 03, 2018 5:45 pm

Re: L2TP IPSec speed

Thu May 31, 2018 11:57 am

IPsec is very CPU intensive. You need either a powerful machine, or IPsec acceleration chip. RB2011 is an older device, it may not be as powerful for IPsec at higher speed.
Thank you for answering, i know this is other topic but i'll ask: i choosed IPsec because i read that this should be one the best (and under best i mean secure). Is there any other vpn type i could use with this machine, to achieve a better performance and security? Thank you in advance
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24206
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: L2TP IPSec speed

Thu May 31, 2018 12:00 pm

IPsec is the best and most secure. I also recommend using this VPN type.
PPTP is no longer considered secure.
No answer to your question? How to write posts
 
User avatar
sjafka
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 74
Joined: Wed Jan 03, 2018 5:45 pm

Re: L2TP IPSec speed

Thu May 31, 2018 12:15 pm

IPsec is the best and most secure. I also recommend using this VPN type.
PPTP is no longer considered secure.

Thank you!
 
User avatar
sjafka
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 74
Joined: Wed Jan 03, 2018 5:45 pm

Re: L2TP IPSec speed

Thu Jun 07, 2018 12:58 pm

Some devices have special IPsec acceleration hardware built in. Like the hEX, new cAPac, new hAP ac^2
Hi Normis,

i tried the same with a hap ac2 and the result is the same if not a little bit slower. I get ~500kb/s with this router too. Could you please help me out?
 
User avatar
nichky
Long time Member
Long time Member
Posts: 526
Joined: Tue Jun 23, 2015 2:35 pm

Re: L2TP IPSec speed

Thu Jun 07, 2018 1:28 pm

export your conf
Nikola Suminoski
MikroTik Consultan
MTCRE l MTCWE

!) Safe Mode is your friend;
 
sindy
Forum Guru
Forum Guru
Posts: 3811
Joined: Mon Dec 04, 2017 9:19 pm

Re: L2TP IPSec speed

Thu Jun 07, 2018 3:58 pm

Some devices have special IPsec acceleration hardware built in. Like the hEX, new cAPac, new hAP ac^2
Hi Normis,

i tried the same with a hap ac2 and the result is the same if not a little bit slower. I get ~500kb/s with this router too. Could you please help me out?
Hardware encryption only works for particular encryption algorithms, so maybe your proposal is too wide and some algorithm which does not have hardware encryption support is negotiated.

But as @nichky said, publish the output of
/ip ipsec export hide-sensitive
/interface l2tp-server export hide-sensitive
/ip ipsec peer print


(don't forget to remove secret=xxxx from the output of the last command).
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
daggerCVN
Frequent Visitor
Frequent Visitor
Posts: 50
Joined: Thu Jan 30, 2014 5:05 pm

Re: L2TP IPSec speed

Sun Oct 14, 2018 5:49 pm

All - using this existing thread as I'm having the same issue: I have a L2TP IPSEC VPN setup on my hEX r3 router and am only getting about 65Mbps throughput (its connected to a 500M fiber circuit). Here are the ipsec config outputs:

[admin@MikroTik Lab] > /ip ipsec export hide-sensitive
# oct/14/2018 10:36:13 by RouterOS 6.40.9
# software id = TYIJ-MRTU
#
# model = RouterBOARD 750G r3
# serial number = 6F3906415ED1
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip ipsec peer
add address=0.0.0.0/0 dh-group=modp1024 generate-policy=port-override passive=\
yes

[admin@MikroTik Lab] > /interface l2tp-server export hide-sensitive
# oct/14/2018 10:43:38 by RouterOS 6.40.9
# software id = TYIJ-MRTU
#
# model = RouterBOARD 750G r3
# serial number = 6F3906415ED1
/interface l2tp-server server
set default-profile=profile-vpn enabled=yes use-ipsec=yes

[admin@MikroTik Lab] > /ip ipsec peer print
Flags: X - disabled, D - dynamic, R - responder
0 R address=0.0.0.0/0 passive=yes auth-method=pre-shared-key
secret="xxxx" generate-policy=port-override
policy-template-group=default exchange-mode=main
send-initial-contact=yes nat-traversal=yes proposal-check=obey
hash-algorithm=sha1 enc-algorithm=aes-128,3des dh-group=modp1024
lifetime=1d dpd-interval=2m dpd-maximum-failures=5

1 DR address=::/0 passive=yes auth-method=pre-shared-key secret="xxxx"
generate-policy=port-strict policy-template-group=default
exchange-mode=main-l2tp send-initial-contact=yes nat-traversal=yes
proposal-check=obey hash-algorithm=sha1
enc-algorithm=aes-256,aes-192,aes-128,3des dh-group=modp2048,modp1024
lifetime=1d dpd-interval=2m dpd-maximum-failures=5
 
sindy
Forum Guru
Forum Guru
Posts: 3811
Joined: Mon Dec 04, 2017 9:19 pm

Re: L2TP IPSec speed

Sun Oct 14, 2018 6:06 pm

Does /ip ipsec installed-sa print show the H attribute in the leftmost-but-one column at both peers? If not, there is no support for Hardware acceleration for the negotiated combination of auth-algorithms and enc-algorithms on the peer which misses the H. Check this table, including all the *, **, and ***, to see for what combinations of algorithms the hardware acceleration is available.

If one of the devices is not a Mikrotik one, and you have hardware acceleration at Mikrotik side, the bottleneck is the other device.

One other point is that many small packets give worse throughput than fewer larger packets. So you'll always get better off with file transfers over TCP than with e.g. voice traffic which uses ~250 byte UDP packets.

Triple figthfulness (which is what děs means in Czech) is definitely not a secure choice these days.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
daggerCVN
Frequent Visitor
Frequent Visitor
Posts: 50
Joined: Thu Jan 30, 2014 5:05 pm

Re: L2TP IPSec speed

Sun Oct 14, 2018 6:41 pm

Thanks sindy. The installed-sa check shows all connections as HE I did note the 3des encryption and I just followed one of the guides to setup the vpn, so I just changed it to only use aes encryption and retested/reconnected and now the installed-sa shows aes. No change in speed, so may be device (laptop) limitation??
 
sindy
Forum Guru
Forum Guru
Posts: 3811
Joined: Mon Dec 04, 2017 9:19 pm

Re: L2TP IPSec speed

Sun Oct 14, 2018 7:32 pm

The test results page of hEX S says that for 512-byte packets, the IPsec throughput is around 170 Mbit/s. The L2TP overhead takes quite a lot off the packets, so for an 8 Mbit/s stream tunnelled via L2TP via IPsec, the transport stream has some 11 Mbit/s. It still doesn't explain your 65 Mbit/s, but I have no idea what else on Mikrotik side might be the bottleneck. If the MTU at the client is not proportionally reduced, you may have each packet fragmented to one long and one short one, which makes me think about the 521-byte frames rather than 1500 byte ones.

So if you can, try with several clients at a time. If the summary throughput is higher, it is likely a client-side limitation; if it is still your 65 Mbit/s, it is likely a Mikrotik side limitation. Of course I assume that when you measure from a laptop connected directly to Mikrotik's LAN interface with no L2TP/IPsec, the throughput is much higher.

I would test it myself but I lack the 500 Mbit/s uplink here :-)
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
daggerCVN
Frequent Visitor
Frequent Visitor
Posts: 50
Joined: Thu Jan 30, 2014 5:05 pm

Re: L2TP IPSec speed

Mon Oct 15, 2018 1:08 am

I tried another client device and it got 135Mbps. these are default windows machines with default MTU settings. That said, it looks like it's client related, thank you again for your inputs and guidance.

Cheers - dagger
 
daggerCVN
Frequent Visitor
Frequent Visitor
Posts: 50
Joined: Thu Jan 30, 2014 5:05 pm

Re: L2TP IPSec speed

Mon Oct 15, 2018 4:43 pm

Ran thru a different device at a different location. Got as high as 145Mbps. I watched the CPU load on the four vCores, and cpu0 was hitting 95% - 100% during the speed tests, so this looks like device dependent and router model cpu load levels. Thanks again.
 
ahtoh
just joined
Posts: 10
Joined: Fri Jan 25, 2013 3:10 pm

Re: L2TP IPSec speed

Mon Oct 07, 2019 4:14 am

I set up my wAP ac to use as L2TP/IPSec client and it reaches 100% cpu load when I run speed test.
The maximum throughput speed I get is about 26-27 Mbps
Are these numbers OK or I should look into optimizing some settings?
 
ahtoh
just joined
Posts: 10
Joined: Fri Jan 25, 2013 3:10 pm

Re: L2TP IPSec speed

Wed Oct 09, 2019 6:21 pm

Switched to ipesc/ikev2 and get slightly better speed around 34 mbps with aes-128-cbc.
Looks like this router does not support ipsec encryption acceleration

Who is online

Users browsing this forum: MSN [Bot] and 8 guests