Community discussions

MUM Europe 2020
 
troo
just joined
Topic Author
Posts: 6
Joined: Mon Nov 07, 2011 2:14 pm

RB1200 IPSec perfomance issue

Tue Nov 08, 2011 2:19 pm

Hi everyone!

We have asked our supplier about month ago for the Mikrotik device with IPSec AES128 thoughput about 100-140 Mbit/s. He told us that RB1200 (in specification IPSec AES device is hardware accelerated) is replacement of RB1100 (now I understand that replacement of RB1100 is RB1100AH :) ). We have bought 2 x RB1200 devices to create EoIP tunnel over IPSec with AES128. After configuration performance is honorable: about 7 Mbit/s and latency 25-27 ms. We have latest OS 5.8. I would like to find out how to solve this problem.

Thank you.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5970
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: RB1200 IPSec perfomance issue

Tue Nov 08, 2011 3:46 pm

How big packets and what was the configuration?
 
troo
just joined
Topic Author
Posts: 6
Joined: Mon Nov 07, 2011 2:14 pm

Re: RB1200 IPSec perfomance issue

Tue Nov 08, 2011 4:38 pm

I have tested performance with iperf with default settings. Screenshots are in attachment. Performance more then 100 Mbit is with turned off IPSec. With turned on 5 Mbit/s.

Scheme:

iPerf Client (HP Notebook with Windows Vista) -> RB1200 -> RB1200 -> iPerf Server (Dell R610 with Windows Server 2008 R2)

IPSec Settings:

[admin@MT_250] > /ip ipsec export
# jan/02/1970 02:24:43 by RouterOS 5.8
# software id = LG2K-SM1D
#
/ip ipsec proposal
set default auth-algorithms=sha1 disabled=no enc-algorithms=3des lifetime=30m \
name=default pfs-group=modp1024
add auth-algorithms=sha1 disabled=no enc-algorithms=aes-128 lifetime=30m \
name=proposal-aes pfs-group=modp1024
/ip ipsec peer
add address=10.100.10.2/32 auth-method=pre-shared-key dh-group=modp1024 \
disabled=no dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=aes-128 \
exchange-mode=main generate-policy=yes hash-algorithm=sha1 lifebytes=0 \
lifetime=1d my-id-user-fqdn="" nat-traversal=no port=500 proposal-check=\
obey secret=********* send-initial-contact=yes
/ip ipsec policy
add action=encrypt disabled=no dst-address=10.100.10.2/32 dst-port=any \
ipsec-protocols=esp level=require priority=0 proposal=proposal-aes \
protocol=all sa-dst-address=10.100.10.2 sa-src-address=10.100.10.1 \
src-address=10.100.10.1/32 src-port=any tunnel=no

Bridge settings

/interface bridge
add admin-mac=00:00:00:00:00:00 ageing-time=5m arp=enabled auto-mac=yes comment="Local Network" \
disabled=no forward-delay=15s l2mtu=1598 max-message-age=20s mtu=1500 name=bridge-local priority=\
0x8000 protocol-mode=none transmit-hold-count=6
/interface bridge port
path-cost=10 point-to-point=auto priority=0x80
add bridge=bridge-local disabled=no edge=auto external-fdb=auto horizon=none interface=eoip-local \
path-cost=10 point-to-point=auto priority=0x80
add bridge=bridge-local disabled=no edge=auto external-fdb=auto horizon=none interface=ether5 \
path-cost=10 point-to-point=auto priority=0x80
of course
EoIP Settings

/interface eoip
add arp=enabled disabled=no l2mtu=65535 local-address=0.0.0.0 mac-address=02:FE:CD:31:91:49 mtu=1500 \
name=eoip-local remote-address=10.100.10.2 tunnel-id=100

The same configuration is on the second router (restored backup from 1st router with corrections of course).
You do not have the required permissions to view the files attached to this post.
 
troo
just joined
Topic Author
Posts: 6
Joined: Mon Nov 07, 2011 2:14 pm

Re: RB1200 IPSec perfomance issue

Mon Nov 21, 2011 1:18 pm

Hi everyone!

I wonder if I'm alone with this issue? Or I have some kind of misconfiguration?

What is real performance with RB1200 boxes? Does anyone tested IPSEC with AES encryption throughput?

Please help!

Thank you!
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5970
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: RB1200 IPSec perfomance issue

Tue Nov 22, 2011 11:53 am

On Rb1200 (AES-128) you can get max 65Mbps (UDP with 1450 byte packets). TCP will be much slower ~40Mbps.
 
troo
just joined
Topic Author
Posts: 6
Joined: Mon Nov 07, 2011 2:14 pm

Re: RB1200 IPSec perfomance issue

Wed Nov 23, 2011 10:38 am

Thank you for reply!!!

So if the throughput of RB1200 with AES-128 is 65Mbit/s in UDP what encryption algorithm or VPN type (PPTP or openVPN etc) I should select to achieve ~120 Mbit/s performance or it is not possible with this kind of device? And if it is not possible with RB1200 what device I should select to make it possible?

Thank you!
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5970
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: RB1200 IPSec perfomance issue

Wed Nov 23, 2011 12:12 pm

RB1100AH will handle 120Mbps encrypted traffic.
 
troo
just joined
Topic Author
Posts: 6
Joined: Mon Nov 07, 2011 2:14 pm

Re: RB1200 IPSec perfomance issue

Wed Nov 23, 2011 1:33 pm

Now clear. I'll try to get new RB1100AH devices for tests.

Thank you!
 
troo
just joined
Topic Author
Posts: 6
Joined: Mon Nov 07, 2011 2:14 pm

Re: RB1200 IPSec perfomance issue

Fri Dec 09, 2011 1:51 pm

Hi!

I have got two RB1200AHx2 devices few days ago. We have configured them the same as RB1200 and now encrypted traffic throughput is almost 200Mbit/s. Thank you for recommendations mrz

Who is online

Users browsing this forum: Google [Bot] and 89 guests