Page 1 of 1

NordVPN-IKEv2 slow NET speed

Posted: Fri Jul 12, 2019 10:25 am
by KiralyIstvanFot
Dear All, I tested the ikev2 connection(6.45.1 FW) to the NordVPN, but the respond and the speed too slow, but my net speed 1Gbit/300Mbit
With NordVPN the speed 110/30MBit, but very hectic, and the web pages sometimes load sometimes run it to timeout.

Somebody has any experience about this?

Or what is the most best VPN provider to the Mikrotik? I know the ovpn client is not working yet full functionally.

I used the mikrotik document: https://wiki.mikrotik.com/wiki/IKEv2_EA ... d_RouterOS

Re: NordVPN-IKEv2 slow NET speed

Posted: Fri Jul 12, 2019 4:54 pm
by sindy
Not enough information. Some routerboards support encryption in hardware and some don't, and for years IPsec used to be incompatible with fasttracking although newest (6.44+) RouterOS versions seem not to have this limitation any more. So post your configuration (if you're concerned about privacy, check my automatic signature below), the Routerboard model and RouterOS version are part of the export.

Re: NordVPN-IKEv2 slow NET speed

Posted: Fri Jul 12, 2019 4:58 pm
by msatter
That speed is not to bad. I am using [REDACTED] and I don't have muvh more (only IKEv2).

I stopped using it for serveral weeks now now because of the many renewalls during sessions.

Re: NordVPN-IKEv2 slow NET speed

Posted: Sun Jul 14, 2019 7:41 pm
by fruel
Did you remove your IPsec traffic from fasttrack? I just posted my config example for privateinternetaccess.com VPN (viewtopic.php?f=2&t=150179) connections where you can see it.

I had similar issues - speeds seemed fine initially but the connection were unstable and I got regular timeouts.
With the fasttrack exceptions I am getting now 287/48 MBit/s on a 300/50 connection. (with an RB4011)

Re: NordVPN-IKEv2 slow NET speed

Posted: Mon Jul 15, 2019 10:58 am
by KiralyIstvanFot
Did you remove your IPsec traffic from fasttrack? I just posted my config example for privateinternetaccess.com VPN (viewtopic.php?f=2&t=150179) connections where you can see it.

I had similar issues - speeds seemed fine initially but the connection were unstable and I got regular timeouts.
With the fasttrack exceptions I am getting now 287/48 MBit/s on a 300/50 connection. (with an RB4011)
I've too an RB4011. what You write about the fasttrack exceptions I didn't add to the firewall.

So this is what You think? And It's enough to the speed and timeout issues?

# basic IPsec fast track exception
/ip firewall mangle add action=mark-connection chain=forward ipsec-policy=out,ipsec new-connection-mark=ipsec
/ip firewall mangle add action=mark-connection chain=forward ipsec-policy=in,ipsec new-connection-mark=ipsec
/ip firewall filter add action=fasttrack-connection chain=forward connection-mark=!ipsec connection-state=established,related

Re: NordVPN-IKEv2 slow NET speed

Posted: Mon Jul 15, 2019 1:23 pm
by sindy
There is a specific problem associated to use of ipsec-policy matcher in /ip firewall filter or /ip firewall mangle rules when src-nat needs to be used to make the packets actually match the ipsec policy. The matcher doesn't anticipate future, it merely checks whether the packet's headers as they look like at the very moment when the packet is handled by the rule match to the traffic selector of any policy with action=encrypt. And when the packet passes through the mangle and/or the filter, the src-nat operation is not yet executed, so it doesn't yet match the policy which it will match once the src-nat will happen. So your rule set will not prevent those packets from making their connection fasttracked.

But as said earlier, it seemed to me that fasttracking stopped interfering with IPsec in the recent RouterOS releases, so maybe there is another reason for your lower-than-expected speed. So if you can stop all non-VPN traffic for a while, you can simply disable the fasttracking rule and try whether new connections through VPN will get faster. If you cannot get rid of the other traffic, the best criterion for exclusion from fasttracking seems to be the address-list used by the dynamically added src-nat rule - i.e. you'll add src-address-list=!that-address-list dst-address-list=!that-address-list to the action=fasttrack-connection rule. You can optimize that later, once you confirm that fastracking is the cause of the speed under expectations.

Re: NordVPN-IKEv2 slow NET speed

Posted: Tue Jul 16, 2019 6:54 pm
by Morphlingg
Dear All, I tested the ikev2 connection(6.45.1 FW) to the NordVPN, but the respond and the speed too slow, but my net speed 1Gbit/300Mbit
With NordVPN the speed 110/30MBit, but very hectic, and the web pages sometimes load sometimes run it to timeout.

Somebody has any experience about this?

Or what is the most best VPN provider to the Mikrotik? I know the ovpn client is not working yet full functionally.

I used the mikrotik document: https://wiki.mikrotik.com/wiki/IKEv2_EA ... d_RouterOS
Maybe problem with VPN's servers location. Sometimes VPN doesn't provide you optimal location. I have downloaded VPN from Veepn.com. It has 48 servers by the way. So i haven't any problems with connection and speed yet.

Re: NordVPN-IKEv2 slow NET speed

Posted: Mon Sep 23, 2019 2:30 am
by noko
I have the same issue. Connection is so, that even web pages can't fully load.
First I think that problem in MTU size, but changing MTU to 1200 won't fix it.

I've try to exclude ipsec traffic from fasttrack rule, but get the same result. I don't know how to debug this issue. Maybe torch tool can help?

Re: NordVPN-IKEv2 slow NET speed

Posted: Tue Oct 08, 2019 9:51 pm
by Rumpel
I think I have same issue here on RBD52G-5HacD2HnD with RouterOS v6.45.6
I have two subnets:
192.168.1.0/24 is for ordinary home router usage. Router itself has address 192.168.1.1 and the rest address space is used for DHCP pool for connected devices.
192.168.2.0/24 is DHCP pool for devices connected to the L2TP server configured on the router.

When I was setting-up NordVPN tunnel (using manual on Mikrotik's wiki page) I decided to route only 192.168.2.0/24 to it so I won't disturb ordinary internet connection at home while doing so. Also I was adding to exceptions some destination addresses which won't go through the tunnel and will be routed directly.
Now after I have configured all that I also want 192.168.1.0/24 to be routed through the NordVPN tunnel so I add it to the corresponding address list. And after that I get a strange situation:
On 192.168.1.0/24 I got above-mentioned problem where I got 25Mbps download speed (maximum for my ISP connection) and nearly 0Mbps (about 0.02Mbps) for upload speed. So browsing on the Web lags a lot. But connections in the exceptions list are going fine at full speed.
At the same time on the same machine when I connect to the VPN server on the router and accordingly get to the 192.168.2.0/24 subnet everything works perfectly and I get maximum download and upload speeds permitted by my ISP through the NordVPN tunnel.

Any ideas how to fix this upload speed problem?

I am really a newbie in all this, so firstly in my case it can simply be some stupid mistake in config and secondly please speak simplier in answers :)

------- UPDATE -------------
I have disabled fasttracking as described by sindy. It helped but didn't solve the problem. With fasttracking disabled I have about 4Mbps upload speed.

Re: NordVPN-IKEv2 slow NET speed

Posted: Tue Oct 15, 2019 11:00 pm
by sindy
With fasttracking disabled, complexity and bad order of your firewall rules could theoretically cause a slowdown. Other than that, bad choice of encryption and/or authentication alogorithms in /ip ipsec proposal could be the reason, where "bad" means "not supported in hardware". So once the tunnel is up, check the /ip ipsec installed-sa print for the presence of the H symbol next to the dynamic item ID in the leftmost column, indicating hardware encryption to be used:

[me@MyTik] > ip ipsec installed-sa print
Flags: H - hw-aead, A - AH, E - ESP
0 HE spi=0xFA1132C1 src-address=x.x.x.x dst-address=y.y.y.y state=mature auth-algorithm=sha1 enc-algorithm=aes-cbc
enc-key-size=256 auth-key="d3b45f4dd85075f97b4a44943aff308c2a3c9f65"
enc-key="9688c7251cfc7bd79cbda89801d818805b629695c68c6284f54843601989d4ae" addtime=oct/15/2019 17:53:45 expires-in=9m12s
add-lifetime=24m/30m current-bytes=3000 current-packets=19 replay=128


If hardware encryption is in use, post the configuration export following the anonymisation hint in my automatic signature below, as the firewall setup may not be optimal.

Re: NordVPN-IKEv2 slow NET speed

Posted: Tue Oct 15, 2019 11:13 pm
by msatter
Have thought about lowering the MTU because MSS is broken for upload in RouterOS!

viewtopic.php?f=2&t=152831&p=754579#p754579

Set MTU to 1280 and ! 0-1280:

viewtopic.php?f=2&t=143990&p=754524#p754564

Re: NordVPN-IKEv2 slow NET speed

Posted: Wed Oct 16, 2019 8:53 pm
by Rumpel
With fasttracking disabled, complexity and bad order of your firewall rules could theoretically cause a slowdown. Other than that, bad choice of encryption and/or authentication alogorithms in /ip ipsec proposal could be the reason, where "bad" means "not supported in hardware". So once the tunnel is up, check the /ip ipsec installed-sa print for the presence of the H symbol next to the dynamic item ID in the leftmost column, indicating hardware encryption to be used:
There are not so many firewall rules in my config, and CPU usage is not going above 5% while performing speed tests to remote servers. Even on our local ISP network where I have 100Mbps limitation I never got more than 30% CPU usage (with fasttracking disabled) while dowloading torrents at full speed.
Have checked support by hardware and H symbol presents in every entry. And I think this potential cause can't explain why I have speed limitation on straight path and don't have it in VPN path because the latter has even more encryption in it but results in more speed.

Have thought about lowering the MTU because MSS is broken for upload in RouterOS!
viewtopic.php?f=2&t=152831&p=754579#p754579
Set MTU to 1280 and ! 0-1280:
viewtopic.php?f=2&t=143990&p=754524#p754564
Yes! Have added rule for mangle from the second link and it solved the problem! (though I didn't specify ports in my case) Now everything works as expected.

Thank you all for helping me out!

Re: NordVPN-IKEv2 slow NET speed

Posted: Wed Oct 16, 2019 9:14 pm
by msatter
The rule would not have to present if all was working as expected.

Pleased that helped and I got it again from other members here helping others like me with this.

Re: NordVPN-IKEv2 slow NET speed

Posted: Wed Oct 16, 2019 11:36 pm
by sindy
I'd really love to understand how an MTU issue can cause much lower speed but otherwise working connections. Okay, each packet occupying the whole MTU gets broken into two thanks to IPsec processing which adds extra bytes to it, but that should cause half the speed at worst. And if they didn't get through at all due to wrong MTU, the TCP sessions should completely fail, not just become slow.

Re: NordVPN-IKEv2 slow NET speed

Posted: Wed Oct 16, 2019 11:59 pm
by msatter
I have looked with WireShark what is happening when I get a slow start and half the speed. This was recent time.

Download it finds the correct MTU if or without the MSS line and also if clamp to pmtu is activated. Working great.

On upload all goes haywire and the MTU is not found and it came even that far that it failed completely and it got stuck on MTU 536. I could not resolve it by activating the MSS line or even restarting the router. Only a restore of a backup could untangle the MTU knot.
I looked at the ICMP traffic and it was destined for my client but it never made it out of the router and the IPSEC grabbed it and nothing happened. It was marked as NAT so it should be communicated to my client that it should lower the MTU to 1382.

In the past I had L2TP connection and then I had no traffic when I reached the second part of speedtest.net. Sometimes it worked and then again not.

Using IKEv2 now and being better informed I I have now the MSS line always active and sometimes even then the upload is off when as example I post here that goes very slow or parts of the forum don't work. It can take a few minutes or even days before I can post again or login. I am used to that by now.

I have send a supout.rif to Mikrotik when my router was in a locked MTU status and till now I have only received the automatic confirmation.

Re: NordVPN-IKEv2 slow NET speed

Posted: Tue Nov 12, 2019 2:18 pm
by msatter
I'd really love to understand how an MTU issue can cause much lower speed but otherwise working connections. Okay, each packet occupying the whole MTU gets broken into two thanks to IPsec processing which adds extra bytes to it, but that should cause half the speed at worst. And if they didn't get through at all due to wrong MTU, the TCP sessions should completely fail, not just become slow.
I have not solved it but could narrow it down thank to support by Mikrotik.

viewtopic.php?f=2&t=153825

Re: NordVPN-IKEv2 slow NET speed

Posted: Fri Dec 27, 2019 11:31 pm
by CuninganReset
I have the same problem with NordVPN, very slow connection when browsing, ping or dns resolution works great but browsing is like a big shit.

I have done the MSS change in the mangle attending to the recommendation from Mikrotik but it is still not working for me.

Re: NordVPN-IKEv2 slow NET speed

Posted: Fri Dec 27, 2019 11:34 pm
by CuninganReset
I answer my back, i have tried with the Mangle rule and also disabling the fasttrack on the router and now it appears to be lightspeed.

Right now it is working for me or at lest the first impressions.

Re: NordVPN-IKEv2 slow NET speed

Posted: Sat Dec 28, 2019 12:58 am
by msatter
Traffic going through IKEv2 can not be fasttracked so that was your problem.

MTU see: viewtopic.php?f=2&t=154449&p=763404#p763404

Re: NordVPN-IKEv2 slow NET speed

Posted: Tue Mar 10, 2020 10:28 pm
by gion
Hi! It is my firs post on this site and my knowledge of networking are very basic. So I have read post related to NordVPN-IKEv2 slow NET speed and still can not understand how to configure HAP ac2 with NordVpn. All I need is to hide my ip location. I have configured a separate LAN for one of the ports and assign it to separate bridge. Now it remains to configure the IPsec. I have followed the instructions from https://wiki.mikrotik.com/wiki/IKEv2_EA ... d_RouterOS and the speed is very slow. I have tried to change/add add action=none dst-address=<local>/24 src-address=0.0.0.0/0, but no effect. So as I understood the problem was not in MTU <add action=change-mss chain=forward disabled=yes ipsec-policy=in,ipsec log-prefix=MSS new-mss=1382 passthrough=yes protocol=tcp tcp-flags=syn>, correct? More over I was not able to add it in ipsec policy.

Is there somebody to show me like to a dump what exactly should I change in this tutorial ->https://wiki.mikrotik.com/wiki/IKEv2_EA ... d_RouterOS?

Thank you

Re: NordVPN-IKEv2 slow NET speed

Posted: Wed Mar 11, 2020 1:48 pm
by msatter
You can test it by editing your own posting and press onthe Preview button. If nothing is happening or very slow then you need the MTU workaround in IPSEC.

You have to check that you did not enable Fasttracking on traffic going throug the VPN.

Re: NordVPN-IKEv2 slow NET speed

Posted: Sat May 23, 2020 2:26 am
by gabborgabbor
dear msatter and sindy, this worked so fine and i was getting crazy about it, i'm not using nordvpn btw but the policy line and disabeling fasttrack worked like a breeze!
hugs and kisses ;)
br gabbo