Community discussions

MikroTik App
 
yoliveras
just joined
Topic Author
Posts: 3
Joined: Mon Jun 29, 2020 11:21 pm

MTU for L2TP with IPSec though LTE

Mon Jun 29, 2020 11:51 pm

Hello.

I've searched a lot and haven't found an answer to this question so I bit the bullet and have to ask, thank you in advance for any help.

We are a pharmacy and I've setup a L2TP connection with IPSec through the LTE connection in a wAP LTE kit US (https://mikrotik.com/product/wap_lte_kit_us) that I'm using for an external employee in a hospital. This has to be HIPAA compliant so logic tells me to use IPSec. Of course throughput using IPSec is an issue so I want to maximize the connection, especially between the remote Windows computer and local Windows Server.

I've tried different MTU settings but seems a lotta hassle so I just wanna compute the MTU but there's no info anywhere about my setup in terms of LTE header + L2TP header + IPSec header + TCP/IP header. The LTE interface is reporting an MTU of 1480 and if I change it to anything larger, it will cease to function. I've setup both the L2TP server and client with a MTU of 1400 and "Change TCP MSS" to YES in the PPP profile. Seems to work but still I can only wring ~35% of the 25mbps LTE data.

Bandwidth test between Mikrotiks says 6 mbps but as I see it, the remote computer still has a lotta headroom because when it's communicating and having a bad time waiting for data, I see the L2TP client at less than 1 mbps, per the "Interfaces" menu's rate and the wAP's CPU is nowhere near maxed out. Also, I don't know if Mikrotik's bandwidth test is representative of SMB performance in "virtual local network", if I may.

Have any of you done this type of setup and have some useful values I can use?

Thanks,
Yubal
 
yoliveras
just joined
Topic Author
Posts: 3
Joined: Mon Jun 29, 2020 11:21 pm

Re: MTU for L2TP with IPSec though LTE

Tue Jun 30, 2020 9:36 pm

With the Windows default MTU of 1500 and L2TP MTU of 1400 I had only .800 Mbps on iperf.

I found the way to change the MTU on the remote Windows machine's Ethernet interface to 1300 and, with L2TP MTU of 1400, got pretty good results but still only 9 Mbps both ways as meassured with iperf, Windows to Windows. Getting closer to 50% of the LTE connection but the wAP's tiny CPU is getting maxed out. I wonder if I can still optimize some more through MTU.

I found this overhead calculator, would you think this 1390 is accurate of the value I should use in the L2TP's MTU, over LTE's 1480 MTU?

What protocol should I layer on top to get a good value for Windows? Also, why has it improved even if I have not modified the other Windows Server's MTU?

Image
 
User avatar
jprietove
Trainer
Trainer
Posts: 123
Joined: Fri Jun 03, 2016 3:00 pm
Location: Cádiz, Spain
Contact:

Re: MTU for L2TP with IPSec though LTE

Tue Jun 30, 2020 11:16 pm

You use MRU and set it to 1500. L2TP slices the packets in one side of the tunnel and the slices can be reconstructed at the end of the tunnel.
It's different to fragmentation, because the reconstruction is done in the router and not in destination.


Enviado desde mi Mi A2 mediante Tapatalk

 
yoliveras
just joined
Topic Author
Posts: 3
Joined: Mon Jun 29, 2020 11:21 pm

Re: MTU for L2TP with IPSec though LTE

Wed Jul 01, 2020 12:05 am

You use MRU and set it to 1500. L2TP slices the packets in one side of the tunnel and the slices can be reconstructed at the end of the tunnel.
It's different to fragmentation, because the reconstruction is done in the router and not in destination.


Enviado desde mi Mi A2 mediante Tapatalk
So you mean, I just leave everything as I have it set:

remote site: LTE MTU=1480 (set by tmobile), L2TP MTU=1400 (with IPSec) and Windows workstation MTU=1300
local site: L2TP MTU=1400, Windows Server MTU=1500 (unchanged)

then just set L2TP MRU to 1500? at both ends, I presume?

thanks, by the way, this is very important.
Last edited by yoliveras on Fri Jul 03, 2020 11:39 pm, edited 1 time in total.
 
User avatar
jprietove
Trainer
Trainer
Posts: 123
Joined: Fri Jun 03, 2016 3:00 pm
Location: Cádiz, Spain
Contact:

Re: MTU for L2TP with IPSec though LTE

Wed Jul 01, 2020 9:21 am

So you mean, I just leave everything as I have it set:
thanks, by the way, this is very important.
No, what I mean is trying this configuration:

Server:
/interface l2tp-server server set max-mru=1500
Client:
/interface l2tp-client add name=l2tp-client user=l2tp-user password=123  connect-to=10.1.101.100 disabled=no max-mru=1500

Who is online

Users browsing this forum: aeichhorn, Bing [Bot], NEOhidra, sutrus and 108 guests