Community discussions

MUM Europe 2020
 
zalexp
just joined
Topic Author
Posts: 10
Joined: Thu Jul 19, 2012 12:47 pm
Location: Russia, Stavropol

vpn perfomance on RB2011L

Wed Nov 28, 2012 12:29 pm

Firstly i wanted to ask about vpn perfomance on RB2011L v5.22 (one as client and another as server). It seemed strange - low cpu load on router and low speed over vpn (it was client-side). Then i realized that server-side router was bottleneck (cpu usage = 100%), so i've got an answer.
I' ve tested some vpn types that could be used for vpn between RB2011L and want to share them, maybe one find them useful. Results are estimated, because they got while copying big file in win7 explorer from PC1 TO PC2 (win7 with share).
Routers were connected over lan as follow:
PC1-sender <-- 100mbit/s --> R1-client - RB2011L <-- 100mbit/s --> R2-server - RB2011L <-- 100mbit/s --> PC2-windows-share-receiving
type          upload speed       max cpu load receiving side, server side          max cpu load sending side, client side
ipsec         1   Mbyte/s        100%	                                                      80%
l2tp/ipsec    2,5 Mbyte/s        90%	                                                       50%
openvpn       1,6 Mbyte/s        100%	                                                      60%
sstp          0,2 Mbyte/s        100%	                                                      8%
configs were as follows (ipsec disabled in configs):
server side configs

/interface sstp-server
add disabled=yes name=sstp-in1 user=""
/interface l2tp-server
add name=l2tp-in1 user=""
/interface ovpn-server
add disabled=yes name=ovpn-in1 user=""
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=md5
/ip pool
add name=vpnpool1 ranges=192.168.111.1-192.168.111.5
/ppp profile
set 1 local-address=192.168.111.111 only-one=yes remote-address=vpnpool1
/interface l2tp-server server
set enabled=yes
/interface ovpn-server server
set certificate=mtik-central default-profile=default-encryption enabled=yes mode=ethernet port=11194 require-client-certificate=yes
/interface sstp-server server
set certificate=mtik-central default-profile=default-encryption enabled=yes port=444
/ip ipsec peer
add exchange-mode=main-l2tp generate-policy=yes hash-algorithm=sha1 secret=test
add address=10.1.1.226/32 disabled=yes secret=test
/ip ipsec policy
add disabled=yes dst-address=10.2.2.0/24 src-address=192.168.1.0/24 sa-dst-address=10.1.1.226 sa-src-address=10.1.1.1 tunnel=yes
/ip route
add distance=1 dst-address=10.2.2.0/24 gateway=10.1.1.226
/ip address
add address=192.168.1.1/24 interface=ether5
add address=10.1.1.1/24 interface=ether2

===============================================

client side configs

/interface l2tp-client
add connect-to=10.1.1.1 name=l2tp-out1 password=test user=mtik-client
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=md5
/interface ovpn-client
add certificate=mtik-client connect-to=10.1.1.1 disabled=yes mode=\
    ethernet name=ovpn-out1 password=test port=\
    11194 profile=default-encryption user=mtik-client
/interface sstp-client
add connect-to=10.1.1.1:444 name=sstp-out1 password=test profile=\
    default-encryption user=mtik-client
/ip address
add address=10.1.1.226/24 interface=ether2
add address=10.2.2.1/24 interface=ether3
/ip ipsec peer
add address=10.1.1.1/32 secret=test
/ip ipsec policy
add disabled=yes dst-address=192.168.1.0/24 sa-dst-address=10.1.1.1 \
    sa-src-address=10.1.1.226 src-address=10.2.2.0/24 tunnel=yes
/ip route
add distance=1 dst-address=192.168.1.0/24 gateway=192.168.111.111
add disabled=yes distance=1 dst-address=192.168.1.0/24 gateway=10.1.1.1
comments:
LANs are 192.168.1.0/24 and 10.2.2.0/24 (for ipsec)
vpn area 192.168.111.0/24
"inet" area 10.1.1.0/24

It was hard to configure ipsec using wiki article for a first time. There was nothing about routes to office networks and "interesting traffic" that should activate tunnels.

If you found any mistakes or know how to improve perfomance by changing configs (and not by using another hardware), please share it.
It seems that l2tp/ipsec is the best solution. Are there any other considerations when server-side router will serve for several small offices over internet?
 
User avatar
mishaM
Frequent Visitor
Frequent Visitor
Posts: 84
Joined: Sun Oct 25, 2009 1:48 pm
Location: Georgia

Re: vpn perfomance on RB2011L

Sun Dec 02, 2012 7:17 pm

that router not have ipsec hardware acceleration , use 1100ax and 1100ax2

Who is online

Users browsing this forum: No registered users and 82 guests