We need help understanding why our IPSEC performance is taking such a dramatic drop when deploying hardware assisted IPSEC units.
We are getting ready to deploy ~300 hAP ac² units to remote offices around the country. They all trunk data via IPSEC to datacenters around the country, using CCR1036-8G-2S+ units as concentrators, but we are getting nowhere near the throughput we thought we would get. All units run 6.43.4, but the issue is the same with 6.42.5.
The AC2 units (single tunnel, AES-256-CBC, SHA256) should max out around 380Mbit/s. I looked at the configuration used to achieve this and know its routing only, stripped down to nothing so we expect a performance hit when adding any feature the requires connection tracking. We are a bit lost since we see the same drop when we strip our config down to IPv6 only and remove the 3 rules making up the default deny firewall and no connection tracking is taking place.
We started rolling out in a major metropolitan area and we have been testing sustained throughput using multi threaded file transfers from multiple hosts on both sides. With no IPsec, just plain routing on both IPv4 and IPv6 we get roughly 360Mbit/s sustained, switch on IPsec and throughput drops to ~120-140Mbit/s. Changing to SHA1 and AES-128-CBC yields the same result.
The bottleneck appears to be single core CPU on the hAP ac². We see 3 cores more or less idling and one core red lining. Keep in mind we are testing using multiple hosts on each side to eliminate any single thread limitations.
Our major suspect is the MSS rule for IPv4, but its flaw is how could that affect the IPv6 throughput.
How would you optimize the config to improve IPSec throughput?
Code: Select all
/interface bridge
add fast-forward=no name=Loopback
add fast-forward=no name=SecureLAN
/interface list
add name=public
/ip ipsec peer profile
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=SecIPv4Client
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=SecIPv6Client nat-traversal=no
/ip ipsec proposal
set [ find default=yes ] disabled=yes pfs-group=modp2048
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=Transport pfs-group=none
/ipv6 pool
add name=DefaultIPv6 prefix=xxxx:xxxx:xxxx:xxxx::/56 prefix-length=64
/interface bridge port
add bridge=SecureLAN interface=ether2
add bridge=SecureLAN interface=ether3
add bridge=SecureLAN interface=ether4
add bridge=SecureLAN interface=ether5
add bridge=SecureLAN interface=wlan1
add bridge=SecureLAN interface=wlan2
/interface bridge settings
set allow-fast-path=no
/ip neighbor discovery-settings
set discover-interface-list=!public
/ip settings
set allow-fast-path=no
/interface list member
add interface=ether1 list=public
/ip address
add address=192.168.0.1/24 interface=SecureLAN network=192.168.0.0
add address=xxx.xxx.xxx.xxx interface=Loopback network=xxx.xxx.xxx.xxx
/ip firewall address-list
add address=10.0.0.0/8 list=RFC1918
add address=192.168.0.0/16 list=RFC1918
add address=172.16.0.0/12 list=RFC1918
add address=192.168.0.0/24 list=LanSubnets
add address=xxx.xxx.xxx.xxx list=TransportIPv4
/ip firewall mangle
add action=change-mss chain=forward dst-address-list=!RFC1918 new-mss=1382 passthrough=yes protocol=tcp src-address-list=LanSubnets tcp-flags=syn tcp-mss=!0-1382
/ip firewall nat
add action=src-nat chain=srcnat dst-address-list=!RFC1918 src-address-list=LanSubnets to-addresses=xxx.xxx.xxx.xxx
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip ipsec peer
add address=xxx.xxx.xxx.xxx auth-method=rsa-signature certificate=ipsecCert.pem_0 profile=SecIPv4Client
add address=xxxx:xxxx:xxxx::xxxx/128 auth-method=rsa-signature certificate=ipsecCert.pem_0 profile=SecIPv6Client
/ip ipsec policy
set 0 disabled=yes
add comment=IPv4 dst-address=0.0.0.0/0 level=unique proposal=Transport sa-dst-address=xxx.xxx.xxx.xxx sa-src-address=0.0.0.0 src-address=xxx.xxx.xxx.xxx/32 tunnel=yes
add comment=IPv6 level=unique proposal=Transport sa-dst-address=xxxx:xxxx:xxxx::xxxx src-address=xxxx:xxxx:xxxx:xxxx::/56 tunnel=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=xxx.xxx.xxx.xxx/32
set api disabled=yes
set api-ssl disabled=yes
/ipv6 address
add address=::234 from-pool=DefaultIPv6 interface=SecureLAN
/ipv6 firewall address-list
add address=xxxx:xxxx:xxxx:xxxx::/56 list=LanSubnetsIPv6
/ipv6 firewall filter
add action=accept chain=forward connection-state=established,related
add action=accept chain=forward src-address-list=LanSubnetsIPv6
add action=drop chain=forward
/ipv6 nd
set [ find default=yes ] disabled=yes
add advertise-dns=yes interface=SecureLAN other-configuration=yes
/system clock
set time-zone-name=Europe/Lisbon