L2TP/IPsec slow download, fast upload

martin3444 · Fri Aug 31, 2018 11:07 pm

Hello

I have a weird problem. I've set up L2TP with IPsec encryption. When I test my VPN throughput then my download is much slower than my upload.
Sometimes download is almost equal to the upload.

I've been stuck with this in days now. Search is not helping me.

Sometimes the speed is 100+/100+. I've tested this in my local network with my android phone when connected to L2TP/IPsec

IPsec config:

/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc

/ip ipsec peer
add address=0.0.0.0/0 dh-group=modp1024 dpd-interval=30s dpd-maximum-failures=3 enc-algorithm=aes-256 exchange-mode=main-l2tp generate-policy=port-override hash-algorithm=sha256 lifetime=30m secret=Secret

L2TP config:

/ppp profile
add change-tcp-mss=yes dns-server=10.0.0.1,1.1.1.1 local-address=10.0.0.1 name=vpn_profile remote-address=pool_vpn use-compression=yes use-encryption=required use-ipv6=no

/ppp secret
add name=User password=Pass profile=vpn_profile remote-address=10.0.0.2 service=l2tp

/interface l2tp-server
add name=l2tp-user user=user

/interface l2tp-server server
set authentication=mschap2 default-profile=vpn_profile ipsec-secret=Secret max-mru=1460 max-mtu=1460 max-sessions=2 use-ipsec=required

Firewall config:

/ip firewall filter
add action=accept chain=input comment="L2TP VPN" dst-port=500 in-interface=ether1 protocol=udp
add action=accept chain=input dst-port=1701 in-interface=ether1 protocol=udp
add action=accept chain=input dst-port=4500 in-interface=ether1 protocol=udp
add action=accept chain=input in-interface=ether1 protocol=ipsec-esp
add action=accept chain=input in-interface=ether1 protocol=ipsec-ah

Other information:
Router: hAP ac2 (RBD52G-5HacD2HnD-TC)
Internet speed: 200/200 Mbit/s

martin3444 · Sun Sep 02, 2018 12:35 am

Anyone?

martin3444 · Sun Sep 02, 2018 4:45 pm

martin3444 · Mon Sep 03, 2018 8:54 pm

Hello!
I also use vpn ipsec. I have no problem. My L2TP configuration is a bit different-
/ interface l2tp server server
set authentication = mschap2 default-profile = vpn_profile ipsec-secret = secret max-mru = 1450 max-mtu = 1450 max-sessions = 2 use-ipsec = NO!
What's your ip firewall config?

Hello and thank you for taking the time to answer

A question for you. How can you use IPsec with your L2TP VPN when your config is set to "use-ipsec = NO". Or am I Missing something?

My IP firewall config:

/ip firewall filter
add action=drop chain=input comment="Drop DNS" dst-port=53 in-interface=ether1 protocol=udp src-address=!192.168.1.0/24
add action=drop chain=input dst-port=53 in-interface=ether1 protocol=tcp src-address=!192.168.1.0/24
add action=drop chain=forward comment="Drop subnet network" in-interface=bridge_guest out-interface=bridge_home
add action=drop chain=forward in-interface=bridge_home out-interface=bridge_guest
add action=drop chain=forward comment="Drop packets from LAN that do not have LAN IP" in-interface=bridge_home log=yes log-prefix=LAN_!LAN src-address=!192.168.1.0/24
add action=drop chain=forward in-interface=bridge_guest log=yes log-prefix=LAN_!LAN src-address=!192.168.2.0/24
add action=accept chain=input comment="L2TP VPN" dst-port=500 in-interface=ether1 protocol=udp
add action=accept chain=input dst-port=1701 in-interface=ether1 protocol=udp
add action=accept chain=input  dst-port=4500 in-interface=ether1 protocol=udp
add action=accept chain=input  in-interface=ether1 protocol=ipsec-esp
add action=accept chain=input  in-interface=ether1 protocol=ipsec-ah
add action=accept chain=input comment="L2TP VPN router access allow" disabled=yes dst-address=192.168.1.1 src-address=10.0.0.2
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related
add action=accept chain=input comment="Established, Related" connection-state=established,related
add action=accept chain=forward connection-state=established,related
add action=accept chain=input comment="Allow LAN" src-address=192.168.1.0/24
add action=drop chain=forward comment="Drop invalid" connection-state=invalid log=yes log-prefix=invalid
add action=accept chain=input comment="Accept ping" disabled=yes protocol=icmp
add action=drop chain=input comment="Drop input/Drop ping"
add action=drop chain=forward comment="Drop incoming packets that are not NATted" connection-nat-state=!dstnat connection-state=new in-interface=ether1 log=yes log-prefix=!NAT

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat comment="L2TP VPN local network allow" disabled=yes dst-address=!10.0.0.2 src-address=10.0.0.2

sindy · Mon Sep 03, 2018 9:19 pm

If you set use-ipsec in the l2tp settings to yes or required, RouterOS creates a dynamic IPsec peer from an internal template. Instead, you can configure one manually, with phase 1 and phase 2 proposals you prefer, which is what @Companion apparently did. There should be no difference in throughput depending on one or other method to be used, though.

Have you tried to use /tool profile while testing the throughput to see whether the CPU isn't overloaded? Also, have you had a look at /ip ipsec installed-sa to see which encryption and authentication algorithms are in use and whether hardware-acceleration is used (only some algorithms and their combinations can be hardware accelerated, and the set depends on routerboard model)?

martin3444 · Mon Sep 03, 2018 10:18 pm

If you set use-ipsec in the l2tp settings to yes or required, RouterOS creates a dynamic IPsec peer from an internal template. Instead, you can configure one manually, with phase 1 and phase 2 proposals you prefer, which is what @Companion apparently did. There should be no difference in throughput depending on one or other method to be used, though.

Have you tried to use /tool profile while testing the throughput to see whether the CPU isn't overloaded? Also, have you had a look at /ip ipsec installed-sa to see which encryption and authentication algorithms are in use and whether hardware-acceleration is used (only some algorithms and their combinations can be hardware accelerated, and the set depends on routerboard model)?

Yes. I've used /tool profile. Nothing suspicious there. Plenty of CPU power left while testing.

Yes. I've checked /ip ipsec installed-sa. Encryption is excactly what I set it to be. SHA256 and AES256. Hardware acceleration was enabled.
So I have no idea what's the problem.

pe1chl · Mon Sep 03, 2018 10:18 pm

Make sure you have correct MTU settings and a TCP MSS mangle rule! Like this:

/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes \
protocol=tcp tcp-flags=syn

martin3444 · Mon Sep 03, 2018 10:36 pm

Make sure you have correct MTU settings and a TCP MSS mangle rule! Like this:

/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes \
protocol=tcp tcp-flags=syn

Max MTU is 1450, max MRU is 1450. Added this mangle rule, but it didn't change anything. Same problem.

pe1chl · Mon Sep 03, 2018 11:14 pm

1450 may be too high for the parameters you have chosen, I have not calculated that.
You need to make sure there is no fragmentation in the router.
The TCP MSS mangle rule helps that (it forces the endpoint to send the proper fragment size).
Also try with SHA1 and AES128 to see if that is any different.

martin3444 · Tue Sep 04, 2018 9:19 pm

1450 may be too high for the parameters you have chosen, I have not calculated that.
You need to make sure there is no fragmentation in the router.
The TCP MSS mangle rule helps that (it forces the endpoint to send the proper fragment size).
Also try with SHA1 and AES128 to see if that is any different

Already tried it. Set it to 1300...didn't do anything.

Interests after I tried your firewall configuration on the test router. Traffic filtered but it's a bit weird to 'jump'. It should not be.
The 1450 value is a composite of many routers that use L2tp. Everything is okay.
Try to configure the router with:
/ ip firewall filter
add action = accept chain = input comment = "Allow Established, Related" \ connection-state = established, related
You can see an example here - open winbox, enter Connect to: demo.mt.lv
Login: demo and no password
Then, request to write or there is a change. Thank you

I already have that rule in my firewall.

I tried testing it without the VPN. Test results were basically the same. Download is way slower than upload. (With my phone [Wifi])
Tried testing it with my PC. Speed seems normal. Download and upload are basically the same or upload is a bit slower.
I think it's something with the wifi.

I'm using a TP-Link AP but for making sure, it's not the AP-s fault, I enabled Mikrotik's wifi and the problem is there too.
So it's not only the VPN-s fault.

Maybe a bug in RouterOS?

sindy · Tue Sep 04, 2018 9:36 pm

If the issue exists regardless whether you use a TP-link AP or Mikrotik's own AP, it has nothing to do with Mikrotik's wireless. I'd rather vote for the phone's wireless compatibility issues as the phone is the common element in these two cases. From the PC/notebook/laptop you've tried using wifi as well, or did you use the wired connection that time?

martin3444 · Tue Sep 04, 2018 9:39 pm

If the issue exists regardless whether you use a TP-link AP or Mikrotik's own AP, it has nothing to do with Mikrotik's wireless. I'd rather vote for the phone's wireless compatibility issues as the phone is the common element in these two cases. From the PC/notebook/laptop you've tried using wifi as well, or did you use the wired connection that time?

Forgot to mention. I used a wired PC. And now I tested it with a laptop...with the laptop the same problem occures.

sindy · Tue Sep 04, 2018 10:34 pm

OK. What is important here is that the behaviour is the same with two different APs. Wireless is a wonderland of its own, where interference from other sources as well as compatibility issues can cause a lot of trouble. To find out which phenomenon is actually responsible requires to know the noise background at first place. But as you say that a wired connection behaves normally, I think it's time to start a new topic as L2TP/IPsec doesn't seem to be related. Of course, confirming this by setting up an L2TP/IPsec client on the PC connected by wire and testing the throughput from there is a necessary step to really make this conclusion.

sindy · Wed Sep 05, 2018 10:44 am

@companion, please have a look how to properly quote from previous posts, use [quote] and [/quote] for that. May I ask you to edit your previous post?

More important, please do not spread false information that order of chains in firewall is important for performance or anything else than readability. What does matter for functionality and also for performance is the order of rules within the same chain (input, output, forward, user-defined chains), but it is of no importance whether you place all the input rules first or last. It matters for readability, though: if you interleave the rules belonging to different chains like (i1,o1,f1,i2,i3,f2,o2,f3,o3,f4,i4), it works and performs exactly the same as (i1,i2,i3,i4,o1,o2,o3,f1,f2,f3,f4) but it is almost impossible to read.

cheshmesar · Wed Sep 05, 2018 2:37 pm

hi, If the issue exists heedless whether you use a TP-link AP or Mikrotik's own AP, it has nothing to do with Mikrotik's wireless. I'd rather vote for the phone's wireless compatibility issues as the telephone is the collective element in these two cases. From the PC - notebook - laptop you've tried using wifi as well, or did you use the wired connection that time?

thank you

martin3444 · Wed Sep 05, 2018 5:56 pm

Thank you everyone for finding the time to answer.

I tested my vpn with my phones 4G. Connected with vpn and the problem is there too. Download 8Mbit/s and upload 40Mbit/s.

I have no problems if I use 4G only but if I connect via 4G to vpn then speeds are weird.

martin3444 · Wed Sep 05, 2018 8:28 pm

I tried it in a different computer with wired connection. Download is 110Mbit/s and upload is 120Mbit/s. (VPN enabled)
Don't know what causes this. Tried turning off firewall...doesn't do anything.

On a different laptop without VPN there is again the same problem.
Faster upload than download.

martin3444 · Fri Sep 07, 2018 7:05 pm

I've tried absolutely everything. I quit. I'll switch out my router. I don't want to deal with this anymore. I don't get help from anywhere. I even reset my router to default. Nothing helps. MikroTiks wifi doesn't work too. Same as AP. vPN doesn't work. Same as Wifi. I quit.
Bye.

sindy · Fri Sep 07, 2018 7:14 pm

You haven't said anything regarding WiFi environment exploration (other devices running nearby on overlapping channels) and if you've really used 4G to connect, the results must be affected as each packet has to go through the WAN interface twice.

Estonia is not that big, maybe someone living nearby can have a look?

martin3444 · Fri Sep 07, 2018 7:18 pm

You haven't said anything regarding WiFi environment exploration (other devices running nearby on overlapping channels) and if you've really used 4G to connect, the results must be affected as each packet has to go through the WAN interface twice.

What country? Maybe someone can have a look?

Other devices doesn't matter if the results are the same when using 4G without VPN.
When using VPN then 8Mbit/s download and 40Mbit/s upload. When it was bad 4G then without VPN why is my speed 60/50 without VPN.

Country is Estonia.

sindy · Fri Sep 07, 2018 7:31 pm

4G without VPN bypasses the Mikrotik completely.

4G with VPN mean that the packet comes from the mobile network via WAN encapsulated in l2tp, gets extracted from there and goes to the real destination via the same WAN (or vice versa for the opposite direction).

There is no difference at Mikrotik side between a PC connected using a cable and an external AP connected using a cable, so if the performance differs between these two cases, the limitation must be outside the Mikrotik. Interference in the air is the hottest candidate, that's why I have mentioned it first.

Another candidate for the bottleneck could be the phone's CPU, but a much less likely one.

martin3444 · Fri Sep 07, 2018 8:31 pm

4G without VPN bypasses the Mikrotik completely.

4G with VPN mean that the packet comes from the mobile network via WAN encapsulated in l2tp, gets extracted from there and goes to the real destination via the same WAN (or vice versa for the opposite direction).

There is no difference at Mikrotik side between a PC connected using a cable and an external AP connected using a cable, so if the performance differs between these two cases, the limitation must be outside the Mikrotik. Interference in the air is the hottest candidate, that's why I have mentioned it first.

Another candidate for the bottleneck could be the phone's CPU, but a much less likely one.

The computer in which the speeds are normal (wired). When I connect it to the VPN in local network. Then my speeds are 80/100 so...yeah...pretty sure it's a mikrotik problem.
No problem when I use wired connection on PC1. No problem in PC2 when wired. Problem when using wifi on phone. Problem when using wifi on PC2. Problem when using 4G on phone.

With 4G yes, the packet comes from the mobile network via WAN encapsulated in l2tp BUT download speed should still be better than upload speed. Or when download speed is not better then download and upload should be equal.

L2TP/IPsec slow download, fast upload

L2TP/IPsec slow download, fast upload

Re: L2TP/IPsec slow download, fast upload

Re: L2TP/IPsec slow download, fast upload

Re: L2TP/IPsec slow download, fast upload

Re: L2TP/IPsec slow download, fast upload

Re: L2TP/IPsec slow download, fast upload

Re: L2TP/IPsec slow download, fast upload

Re: L2TP/IPsec slow download, fast upload

Re: L2TP/IPsec slow download, fast upload

Re: L2TP/IPsec slow download, fast upload

Re: L2TP/IPsec slow download, fast upload

Re: L2TP/IPsec slow download, fast upload

Re: L2TP/IPsec slow download, fast upload

Re: L2TP/IPsec slow download, fast upload

Re: L2TP/IPsec slow download, fast upload

Re: L2TP/IPsec slow download, fast upload

Re: L2TP/IPsec slow download, fast upload

Re: L2TP/IPsec slow download, fast upload

Re: L2TP/IPsec slow download, fast upload

Re: L2TP/IPsec slow download, fast upload

Re: L2TP/IPsec slow download, fast upload

Re: L2TP/IPsec slow download, fast upload

Who is online