Community discussions

MikroTik App
 
akarpas
Member Candidate
Member Candidate
Topic Author
Posts: 103
Joined: Tue Mar 20, 2018 4:46 pm

Slow road worrior VPN speed from client to server

Fri Jun 19, 2020 6:13 pm

L2TP VPN.PNG
Hello Guys!
So in the picture, I have described the L2TP Road Warrior connection. Device models used. ISP service provided. Set up is ok connection is ok stable no problems. The only problem is slow VPN speed.
In Site 1 PC (L2TP client) is able to receive only max 40Mbps of download and 30Mbps of upload. Talking that enough powerful devices are used for the setup and that ISP given speed is fast on both ends the VPN speed is somehow very slow I'd say.
I have tested the same set up with Sophos router in Site 2 the same L2TP IPSec and the speed was way over 100Mbps that give much better speed.
MAX MRU is 1380
Auth. Algorithm - sha1 Encr. Algorithm aes cbc
Fast path enabled.

I have seen many old topics related to this one I have tried a lot of configurations suggested and thinking that devices within the time have evolved, better and faster hardware the VPN is still very poor and I'd say VPN is the bottleneck of Mikrotik.

So a lot of time went from previous posts related to this topic, so maybe there are changes and new suggestions and how to achieve better speed? As at this COVID 19 times VPN speeds matters a lot.
Thank you in advance.
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 5343
Joined: Mon Dec 04, 2017 9:19 pm

Re: Slow road worrior VPN speed from client to server

Sat Jun 20, 2020 11:55 am

The only thing to come to my mind - the default-profile under /interface l2tp-server server is set to default-encryption by default. But this activates the MPPE encryption, which is a) done in software, so may slow down the connection, and b) is useless as the L2TP packets are encrypted using IPsec. So try to change the profile from default-profile from default-encryption to just default, either in /interface l2tp-server server or in the /ppp secret row representing that particular user, and see whether it changes something about the VPN tunnel speed.

Do I read your diagram right that the 4011 is not involved in VPN handling, i.e. the L2TP session runs between the PC at site 1 and the CCR at site 2?
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
akarpas
Member Candidate
Member Candidate
Topic Author
Posts: 103
Joined: Tue Mar 20, 2018 4:46 pm

Re: Slow road worrior VPN speed from client to server

Sat Jun 20, 2020 3:43 pm

The only thing to come to my mind - the default-profile under /interface l2tp-server server is set to default-encryption by default. But this activates the MPPE encryption, which is a) done in software, so may slow down the connection, and b) is useless as the L2TP packets are encrypted using IPsec. So try to change the profile from default-profile from default-encryption to just default, either in /interface l2tp-server server or in the /ppp secret row representing that particular user, and see whether it changes something about the VPN tunnel speed.

Do I read your diagram right that the 4011 is not involved in VPN handling, i.e. the L2TP session runs between the PC at site 1 and the CCR at site 2?
Thanks for the advice. Yes, Site 1 PC is just a client connecting to L2TP server on-site 2 via the internet, site 1 could be any site with any router.
I have tried default-encryption profile and default profile as suggested by you but no success speed is the same. I'm using my own created profile which is basically a copy of default profile settings.
So I'm lost at this point.
Could it be something related to firewall FastTrack rule? Even I have two IPSec IN and OUT excluding rules above fasttrack rule and it doesn't count any packets as it would if I had a site to site tunnel.
 
sindy
Forum Guru
Forum Guru
Posts: 5343
Joined: Mon Dec 04, 2017 9:19 pm

Re: Slow road worrior VPN speed from client to server

Sat Jun 20, 2020 4:39 pm

Could it be something related to firewall FastTrack rule? Even I have two IPSec IN and OUT excluding rules above fasttrack rule and it doesn't count any packets as it would if I had a site to site tunnel.
Fasttracking only interferes with IPsec processing, queueing, and marking in firewall of packets being forwarded between a pair of interfaces of the router, not of packets sent or received by the router itself. When you use L2TP, the packets coming in via the LAN interface are forwarded via the virtual L2TP interface, so fasttracking can handle/affect them, but unless they need rules in /ip firewall mangle to assign them a routing-mark in order that they get routed via the L2TP interface, which is not a typical setup, fasttracking has nothing to interfere with at this stage. The L2TP virtual virtual interface encapsulates the packet coming from LAN into a transport packet, which is sent by the router itself, so it is not handled by fasttracking at all.

Does the IPsec security association show hardware acceleration to be active? Can you ping the VPN gateway's public address from the PC when the VPN is down, and then ping the private address of the router via the VPN when it is up, to compare the response time? How do you measure the speed (for TCP sessions, the round trip delay plays a role)? What does /tool profile show during the test and when no VPN data is transported through the VPN? Can you try to set up a bare IKEv2 VPN instead of the L2TP/IPsec one and compare the speed testing results? Do you have any kind of queue handling in place?
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
akarpas
Member Candidate
Member Candidate
Topic Author
Posts: 103
Joined: Tue Mar 20, 2018 4:46 pm

Re: Slow road worrior VPN speed from client to server

Sun Jun 21, 2020 2:39 pm

Could it be something related to firewall FastTrack rule? Even I have two IPSec IN and OUT excluding rules above fasttrack rule and it doesn't count any packets as it would if I had a site to site tunnel.
Fasttracking only interferes with IPsec processing, queueing, and marking in firewall of packets being forwarded between a pair of interfaces of the router, not of packets sent or received by the router itself. When you use L2TP, the packets coming in via the LAN interface are forwarded via the virtual L2TP interface, so fasttracking can handle/affect them, but unless they need rules in /ip firewall mangle to assign them a routing-mark in order that they get routed via the L2TP interface, which is not a typical setup, fasttracking has nothing to interfere with at this stage. The L2TP virtual virtual interface encapsulates the packet coming from LAN into a transport packet, which is sent by the router itself, so it is not handled by fasttracking at all.

Does the IPsec security association show hardware acceleration to be active? Can you ping the VPN gateway's public address from the PC when the VPN is down, and then ping the private address of the router via the VPN when it is up, to compare the response time? How do you measure the speed (for TCP sessions, the round trip delay plays a role)? What does /tool profile show during the test and when no VPN data is transported through the VPN? Can you try to set up a bare IKEv2 VPN instead of the L2TP/IPsec one and compare the speed testing results? Do you have any kind of queue handling in place?
Thanks for your will to troubleshoot and learning process :).
Yes under installed SA's I can clearly see "hardware acceleration" is applied. ESP applied as well.
If I ping L2TP server (router) gateway (external IP) not via VPN just over internet ping is something around 23ms
If I ping L2TP server local gateway via VPN ping is around 18ms
/ip tools profile | I have run several online services as facebook youtube via VPN so LT2P uses from 1 to 3 cores but usage of the doesn't go above 0.5 mostly 0.0 overall CPU usage doesn't go 1%
I will set up IKV2 but don't think its going to be any faster as I have it set up on my home router RB4011 but I will do and update.
Update:
Did an IKEv2 set up getting identical speeds: up to 43Mbps download and 35Mbps upload
With IKEv2 CPU usage a little higher jumps up to 4% for sec.
 
akarpas
Member Candidate
Member Candidate
Topic Author
Posts: 103
Joined: Tue Mar 20, 2018 4:46 pm

Re: Slow road worrior VPN speed from client to server

Wed Jun 24, 2020 10:43 pm

anyone else any ideas?
 
arcsin
just joined
Posts: 1
Joined: Wed Nov 21, 2018 1:30 pm

Re: Slow road worrior VPN speed from client to server

Thu Jun 25, 2020 11:07 pm

In Site 1 via VPN tunnel 40Mbps of download and 30Mbps of upload is maximum you can theoretically get (restricted by Site 1 and Site 2 upload speeds).
Last edited by arcsin on Fri Jun 26, 2020 8:52 am, edited 1 time in total.
 
akarpas
Member Candidate
Member Candidate
Topic Author
Posts: 103
Joined: Tue Mar 20, 2018 4:46 pm

Re: Slow road worrior VPN speed from client to server

Sat Jun 27, 2020 7:49 pm

In Site 1 via VPN tunnel 40Mbps of download and 30Mbps of upload is maximum you can theoretically get (restricted by Site 1 and Site 2 upload speeds).
it should not be the case but sounds logical but I have said if I use Sophos router on site 2 I'm getting more then 100Mbps speed on-site 1 via L2TP
OK but seems to be you are right I have just tested with more powerful Mikrotik router where subscription is only 100Mbps download and 10Mbps upload and via L2TP client to server getting only 10Mbps so it relies on upload speed where the L2TP server is. SO why Sophos gives 100Mbps in the same scenario L2TP+IPSec

Who is online

Users browsing this forum: sindy and 61 guests