Community discussions

MikroTik App
Topic Author
Posts: 32
Joined: Thu Feb 14, 2013 9:41 am

EoIP over IPSec performance

Mon Jul 15, 2019 5:15 pm


I need to push about 4 Gbit / s of traffic through the EoIP tunnel with IPsec encryption. Does anyone know if any CCR or CRS will do the job?

User avatar
Long time Member
Long time Member
Posts: 610
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany

Re: EoIP over IPSec performance

Mon Jul 15, 2019 5:42 pm

A CRS will not. See the test results on product page for what the CCRs can do. Looks like none of them can handle 4Gbit/s in a single tunnel, possibly a bond of four tunnels may work. ... estresults
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
Forum Guru
Forum Guru
Posts: 5381
Joined: Mon Dec 04, 2017 9:19 pm

Re: EoIP over IPSec performance

Mon Jul 15, 2019 6:19 pm

It would have to be at least four independent IPsec SA pairs, each carrying one EoIP, and the EoIP would have to be bonded together - clearly a voucher for a headache. Even worse, if independence of the SA pairs is not enough and you need 4 independent IPsec "sessions", building them between just two public IP addresses is almost mission impossible.

If you want to give it a try, create two private local addresses at one of the devices, and use one tunnel policy with level=unique for each of these addresses at each end, using a common IPsec "session". Then each EoIP tunnel would use another one of these two addresses at that end. This should make it possible for the CCR to handle the cryptography for each pair of SAs by another core, and if it works, you can scale the solution to four tunnels.

However, I'm afraid the overhead of IPsec and of EoIP will eat so much of the throughput that even if you identify and eliminate all sources of fragmentation, you'll end up with 3.5 Gbit/s or even less.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: Bing [Bot], mikruser and 140 guests