Community discussions

MikroTik App
  4. RouterOS
  5. General

L2tp/IPSEC performance blows?

Post Reply
 
littlebill
Member Candidate
Member Candidate
Topic Author
Posts: 234
Joined: Sat Apr 30, 2011 3:11 am

L2tp/IPSEC performance blows?

Sat May 25, 2013 12:10 am

picture says it all, less then 1 mbit on a 750, barely 2 mbit on a 951

this was lan-lan tested over gigabit

anyone?

i can do roughly 44mbit on pptp

support says i should be able to do 20mbit on 750, does not appears that is really true?

anyone else seeing similar results.

i'm going to pop another ticket, but i'm not expecting much
You do not have the required permissions to view the files attached to this post.
Top
 
biomesh
Long time Member
Long time Member
Posts: 562
Joined: Fri Feb 10, 2012 8:25 pm

Re: L2tp/IPSEC performance blows?

Sat May 25, 2013 3:53 pm

What is your l2tp Server max mru set to? You might want to try 1420 instead of 1460. Post your config if it didn't help.
Top
 
littlebill
Member Candidate
Member Candidate
Topic Author
Posts: 234
Joined: Sat Apr 30, 2011 3:11 am

Re: L2tp/IPSEC performance blows?

Sat May 25, 2013 3:55 pm

i've played with it, doesn't change anything, just gives slightly better stability
Top
 
ayufan
Member
Member
Posts: 334
Joined: Sun Jun 03, 2007 9:35 pm
Contact:
Contact ayufan

Re: L2tp/IPSEC performance blows?

Sat May 25, 2013 4:20 pm

Change IPsec proposal to use md5 with aes. It should boost performance significantly. Default sha1 with 3des is very slow on these devices.
Top
 
littlebill
Member Candidate
Member Candidate
Topic Author
Posts: 234
Joined: Sat Apr 30, 2011 3:11 am

Re: L2tp/IPSEC performance blows?

Sat May 25, 2013 4:25 pm

will this work with default window clients? im not overly familiar with auth schemes?

do i change it under peer as well? i see similar settings?


i will try the changes Thanks!


looking this over a bit, i assume i only make the changes on the peer tab?

since i am not using policies, i assume i am not using proposals since under peers i have nothing to indicate which proposal?
Top
 
littlebill
Member Candidate
Member Candidate
Topic Author
Posts: 234
Joined: Sat Apr 30, 2011 3:11 am

Re: L2tp/IPSEC performance blows?

Tue May 28, 2013 8:04 pm

bump
Top
 
littlebill
Member Candidate
Member Candidate
Topic Author
Posts: 234
Joined: Sat Apr 30, 2011 3:11 am

Re: L2tp/IPSEC performance blows?

Tue May 28, 2013 9:19 pm

Change IPsec proposal to use md5 with aes. It should boost performance significantly. Default sha1 with 3des is very slow on these devices.

getting errors about dh group? is this a bug??? only working for me on ds3 right now
Code: Select all
May/28/2013 14:15:47 ipsec,debug,packet ip: type=Life Type, flag=0x8000, lorv=seconds
May/28/2013 14:15:47 ipsec,debug,packet ip: type=Life Duration, flag=0x0000, lorv=4
May/28/2013 14:15:47 ipsec,debug ip: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#4) = AES-CBC:3DES-CBC
May/28/2013 14:15:47 ipsec,debug ip: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#4) = MD5:SHA
May/28/2013 14:15:47 ipsec,debug ip: rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#4) = 1024-bit MODP group:2048-bit MODP group
May/28/2013 14:15:47 ipsec,debug,packet ip: type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC
May/28/2013 14:15:47 ipsec,debug,packet ip: type=Hash Algorithm, flag=0x8000, lorv=SHA
May/28/2013 14:15:47 ipsec,debug,packet ip: type=Group Description, flag=0x8000, lorv=1024-bit MODP group
May/28/2013 14:15:47 ipsec,debug,packet ip: type=Authentication Method, flag=0x8000, lorv=pre-shared key
May/28/2013 14:15:47 ipsec,debug,packet ip: type=Life Type, flag=0x8000, lorv=seconds
May/28/2013 14:15:47 ipsec,debug,packet ip: type=Life Duration, flag=0x0000, lorv=4
May/28/2013 14:15:47 ipsec,debug ip: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#5) = AES-CBC:3DES-CBC
May/28/2013 14:15:47 ipsec,debug ip: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#5) = MD5:SHA
May/28/2013 14:15:47 ipsec,debug ip: no suitable proposal found.
May/28/2013 14:15:47 ipsec,debug ip: failed to get valid proposal.
May/28/2013 14:15:49 ipsec,debug,packet ip: ==========
May/28/2013 14:15:49 ipsec,debug,packet ip: 384 bytes message received from 10.0.1.9[500] to 10.0.1.1[500]
May/28/2013 14:15:49 ipsec,debug,packet ip: 0816e694 90f71028 00000000 00000000 01100200 00000000 00000180 0d0000d4
May/28/2013 14:15:49 ipsec,debug,packet ip: 00000001 00000001 000000c8 01010005 03000028 01010000 80010007 800e0100
May/28/2013 14:15:49 ipsec,debug,packet ip: 80020002 80040014 80030001 800b0001 000c0004 00007080 03000028 02010000
May/28/2013 14:15:49 ipsec,debug,packet ip: 80010007 800e0080 80020002 80040013 80030001 800b0001 000c0004 00007080
May/28/2013 14:15:49 ipsec,debug,packet ip: 03000028 03010000 80010007 800e0100 80020002 8004000e 80030001 800b0001
May/28/2013 14:15:49 ipsec,debug,packet ip: 000c0004 00007080 03000024 04010000 80010005 80020002 8004000e 80030001
May/28/2013 14:15:49 ipsec,debug,packet ip: 800b0001 000c0004 00007080 00000024 05010000 80010005 80020002 80040002
May/28/2013 14:15:49 ipsec,debug,packet ip: 80030001 800b0001 000c0004 00007080 0d000018 1e2b5169 05991c7d 7c96fcbf
May/28/2013 14:15:49 ipsec,debug,packet ip: b587e461 00000008 0d000014 4a131c81 07035845 5c5728f2 0e95452f 0d000014
May/28/2013 14:15:49 ipsec,debug,packet ip: 90cb8091 3ebb696e 086381b5 ec427b1f 0d000014 4048b7d5 6ebce885 25e7de7f
May/28/2013 14:15:49 ipsec,debug,packet ip: 00d6c2d3 0d000014 fb1de3cd f341b7ea 16b7e5be 0855f120 0d000014 26244d38
May/28/2013 14:15:49 ipsec,debug,packet ip: eddb61b3 172a36e3 d0cfb819 00000014 e3a5966a 76379fe7 07228231 e5ce8652
May/28/2013 14:15:49 ipsec,debug,packet ip: begin.
May/28/2013 14:15:49 ipsec,debug,packet ip: seen nptype=1(sa)
May/28/2013 14:15:49 ipsec,debug,packet ip: seen nptype=13(vid)
May/28/2013 14:15:49 ipsec,debug,packet ip: seen nptype=13(vid)
May/28/2013 14:15:49 ipsec,debug,packet ip: seen nptype=13(vid)
May/28/2013 14:15:49 ipsec,debug,packet ip: seen nptype=13(vid)
May/28/2013 14:15:49 ipsec,debug,packet ip: seen nptype=13(vid)
May/28/2013 14:15:49 ipsec,debug,packet ip: seen nptype=13(vid)
May/28/2013 14:15:49 ipsec,debug,packet ip: seen nptype=13(vid)
May/28/2013 14:15:49 ipsec,debug,packet ip: succeed.
May/28/2013 14:15:49 ipsec,debug ip: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY
May/28/2013 14:15:49 ipsec,debug ip: received Vendor ID: RFC 3947
May/28/2013 14:15:49 ipsec,debug ip: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
May/28/2013 14:15:49 ipsec,debug ip: 
May/28/2013 14:15:49 ipsec,debug ip: received Vendor ID: FRAGMENTATION
May/28/2013 14:15:49 ipsec,debug,packet ip: received unknown Vendor ID
May/28/2013 14:15:49 ipsec,debug,packet ip: received unknown Vendor ID
May/28/2013 14:15:49 ipsec,debug,packet ip: received unknown Vendor ID
May/28/2013 14:15:49 ipsec,debug ip: Selected NAT-T version: RFC 3947
May/28/2013 14:15:49 ipsec,debug,packet ip: total SA len=208
May/28/2013 14:15:49 ipsec,debug,packet ip: 00000001 00000001 000000c8 01010005 03000028 01010000 80010007 800e0100
May/28/2013 14:15:49 ipsec,debug,packet ip: 80020002 80040014 80030001 800b0001 000c0004 00007080 03000028 02010000
May/28/2013 14:15:49 ipsec,debug,packet ip: 80010007 800e0080 80020002 80040013 80030001 800b0001 000c0004 00007080
May/28/2013 14:15:49 ipsec,debug,packet ip: 03000028 03010000 80010007 800e0100 80020002 8004000e 80030001 800b0001
May/28/2013 14:15:49 ipsec,debug,packet ip: 000c0004 00007080 03000024 04010000 80010005 80020002 8004000e 80030001
May/28/2013 14:15:49 ipsec,debug,packet ip: 800b0001 000c0004 00007080 00000024 05010000 80010005 80020002 80040002
May/28/2013 14:15:49 ipsec,debug,packet ip: 80030001 800b0001 000c0004 00007080
May/28/2013 14:15:49 ipsec,debug,packet ip: begin.
May/28/2013 14:15:49 ipsec,debug,packet ip: seen nptype=2(prop)
May/28/2013 14:15:49 ipsec,debug,packet ip: succeed.
May/28/2013 14:15:49 ipsec,debug,packet ip: proposal #1 len=200
May/28/2013 14:15:49 ipsec,debug,packet ip: begin.
May/28/2013 14:15:49 ipsec,debug,packet ip: seen nptype=3(trns)
May/28/2013 14:15:49 ipsec,debug,packet ip: seen nptype=3(trns)
May/28/2013 14:15:49 ipsec,debug,packet ip: seen nptype=3(trns)
May/28/2013 14:15:49 ipsec,debug,packet ip: seen nptype=3(trns)
May/28/2013 14:15:49 ipsec,debug,packet ip: seen nptype=3(trns)
May/28/2013 14:15:49 ipsec,debug,packet ip: succeed.
May/28/2013 14:15:49 ipsec,debug,packet ip: transform #1 len=40
May/28/2013 14:15:49 ipsec,debug,packet ip: type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC
May/28/2013 14:15:49 ipsec,debug,packet ip: encryption(aes)
May/28/2013 14:15:49 ipsec,debug,packet ip: type=Key Length, flag=0x8000, lorv=256
May/28/2013 14:15:49 ipsec,debug,packet ip: type=Hash Algorithm, flag=0x8000, lorv=SHA
May/28/2013 14:15:49 ipsec,debug,packet ip: hash(sha1)
May/28/2013 14:15:49 ipsec,debug,packet ip: type=Group Description, flag=0x8000, lorv=20
May/28/2013 14:15:49 ipsec,debug ip: invalid DH group 20.
May/28/2013 14:15:49 ipsec,debug,packet ip: transform #2 len=40
May/28/2013 14:15:49 ipsec,debug,packet ip: type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC
May/28/2013 14:15:49 ipsec,debug,packet ip: encryption(aes)
May/28/2013 14:15:49 ipsec,debug,packet ip: type=Key Length, flag=0x8000, lorv=128
May/28/2013 14:15:49 ipsec,debug,packet ip: type=Hash Algorithm, flag=0x8000, lorv=SHA
May/28/2013 14:15:49 ipsec,debug,packet ip: hash(sha1)
May/28/2013 14:15:49 ipsec,debug,packet ip: type=Group Description, flag=0x8000, lorv=19
May/28/2013 14:15:49 ipsec,debug ip: invalid DH group 19.
May/28/2013 14:15:49 ipsec,debug,packet ip: transform #3 len=40
May/28/2013 14:15:49 ipsec,debug,packet ip: type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC
May/28/2013 14:15:49 ipsec,debug,packet ip: encryption(aes)
May/28/2013 14:15:49 ipsec,debug,packet ip: type=Key Length, flag=0x8000, lorv=256
May/28/2013 14:15:49 ipsec,debug,packet ip: type=Hash Algorithm, flag=0x8000, lorv=SHA
May/28/2013 14:15:49 ipsec,debug,packet ip: hash(sha1)
May/28/2013 14:15:49 ipsec,debug,packet ip: type=Group Description, flag=0x8000, lorv=2048-bit MODP group
May/28/2013 14:15:49 ipsec,debug,packet ip: hmac(modp2048)
May/28/2013 14:15:49 ipsec,debug,packet ip: type=Authentication Method, flag=0x8000, lorv=pre-shared key
May/28/2013 14:15:49 ipsec,debug,packet ip: type=Life Type, flag=0x8000, lorv=seconds
May/28/2013 14:15:49 ipsec,debug,packet ip: type=Life Duration, flag=0x0000, lorv=4
May/28/2013 14:15:49 ipsec,debug,packet ip: transform #4 len=36
May/28/2013 14:15:49 ipsec,debug,packet ip: type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC
May/28/2013 14:15:49 ipsec,debug,packet ip: encryption(3des)
May/28/2013 14:15:49 ipsec,debug,packet ip: type=Hash Algorithm, flag=0x8000, lorv=SHA
May/28/2013 14:15:49 ipsec,debug,packet ip: hash(sha1)
May/28/2013 14:15:49 ipsec,debug,packet ip: type=Group Description, flag=0x8000, lorv=2048-bit MODP group
Code: Select all
May/28/2013 14:15:49 ipsec,debug,packet ip: hmac(modp2048)
May/28/2013 14:15:49 ipsec,debug,packet ip: type=Authentication Method, flag=0x8000, lorv=pre-shared key
May/28/2013 14:15:49 ipsec,debug,packet ip: type=Life Type, flag=0x8000, lorv=seconds
May/28/2013 14:15:49 ipsec,debug,packet ip: type=Life Duration, flag=0x0000, lorv=4
May/28/2013 14:15:49 ipsec,debug,packet ip: transform #5 len=36
May/28/2013 14:15:49 ipsec,debug,packet ip: type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC
May/28/2013 14:15:49 ipsec,debug,packet ip: encryption(3des)
May/28/2013 14:15:49 ipsec,debug,packet ip: type=Hash Algorithm, flag=0x8000, lorv=SHA
May/28/2013 14:15:49 ipsec,debug,packet ip: hash(sha1)
May/28/2013 14:15:49 ipsec,debug,packet ip: type=Group Description, flag=0x8000, lorv=1024-bit MODP group
May/28/2013 14:15:49 ipsec,debug,packet ip: hmac(modp1024)
May/28/2013 14:15:49 ipsec,debug,packet ip: type=Authentication Method, flag=0x8000, lorv=pre-shared key
May/28/2013 14:15:49 ipsec,debug,packet ip: type=Life Type, flag=0x8000, lorv=seconds
May/28/2013 14:15:49 ipsec,debug,packet ip: type=Life Duration, flag=0x0000, lorv=4
May/28/2013 14:15:49 ipsec,debug,packet ip: pair 1:
May/28/2013 14:15:49 ipsec,debug,packet ip:  0x490688: next=(nil) tnext=0x4906a0
May/28/2013 14:15:49 ipsec,debug,packet ip:   0x4906a0: next=(nil) tnext=0x4906b8
May/28/2013 14:15:49 ipsec,debug,packet ip:    0x4906b8: next=(nil) tnext=(nil)
May/28/2013 14:15:49 ipsec,debug,packet ip: proposal #1: 3 transform
May/28/2013 14:15:49 ipsec,debug,packet ip: prop#=1, prot-id=ISAKMP, spi-size=0, #trns=5
May/28/2013 14:15:49 ipsec,debug,packet ip: trns#=3, trns-id=IKE
May/28/2013 14:15:49 ipsec,debug,packet ip: type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC
May/28/2013 14:15:49 ipsec,debug,packet ip: type=Key Length, flag=0x8000, lorv=256
May/28/2013 14:15:49 ipsec,debug,packet ip: type=Hash Algorithm, flag=0x8000, lorv=SHA
May/28/2013 14:15:49 ipsec,debug,packet ip: type=Group Description, flag=0x8000, lorv=2048-bit MODP group
May/28/2013 14:15:49 ipsec,debug,packet ip: type=Authentication Method, flag=0x8000, lorv=pre-shared key
May/28/2013 14:15:49 ipsec,debug,packet ip: type=Life Type, flag=0x8000, lorv=seconds
May/28/2013 14:15:49 ipsec,debug,packet ip: type=Life Duration, flag=0x0000, lorv=4
May/28/2013 14:15:49 ipsec,debug,packet ip: Compared: DB:Peer
May/28/2013 14:15:49 ipsec,debug,packet ip: (lifetime = 86400:28800)
May/28/2013 14:15:49 ipsec,debug,packet ip: (lifebyte = 0:0)
May/28/2013 14:15:49 ipsec,debug,packet ip: enctype = AES-CBC:AES-CBC
May/28/2013 14:15:49 ipsec,debug,packet ip: (encklen = 128:256)
May/28/2013 14:15:49 ipsec,debug,packet ip: hashtype = MD5:SHA
May/28/2013 14:15:49 ipsec,debug,packet ip: authmethod = pre-shared key:pre-shared key
May/28/2013 14:15:49 ipsec,debug,packet ip: dh_group = 1024-bit MODP group:2048-bit MODP group
May/28/2013 14:15:49 ipsec,debug,packet ip: prop#=1, prot-id=ISAKMP, spi-size=0, #trns=5
May/28/2013 14:15:49 ipsec,debug,packet ip: trns#=4, trns-id=IKE
May/28/2013 14:15:49 ipsec,debug,packet ip: type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC
May/28/2013 14:15:49 ipsec,debug,packet ip: type=Hash Algorithm, flag=0x8000, lorv=SHA
May/28/2013 14:15:49 ipsec,debug,packet ip: type=Group Description, flag=0x8000, lorv=2048-bit MODP group
May/28/2013 14:15:49 ipsec,debug,packet ip: type=Authentication Method, flag=0x8000, lorv=pre-shared key
May/28/2013 14:15:49 ipsec,debug,packet ip: type=Life Type, flag=0x8000, lorv=seconds
May/28/2013 14:15:49 ipsec,debug,packet ip: type=Life Duration, flag=0x0000, lorv=4
May/28/2013 14:15:49 ipsec,debug,packet ip: Compared: DB:Peer
May/28/2013 14:15:49 ipsec,debug,packet ip: (lifetime = 86400:28800)
May/28/2013 14:15:49 ipsec,debug,packet ip: (lifebyte = 0:0)
May/28/2013 14:15:49 ipsec,debug,packet ip: enctype = AES-CBC:3DES-CBC
May/28/2013 14:15:49 ipsec,debug,packet ip: (encklen = 128:0)
May/28/2013 14:15:49 ipsec,debug,packet ip: hashtype = MD5:SHA
May/28/2013 14:15:49 ipsec,debug,packet ip: authmethod = pre-shared key:pre-shared key
May/28/2013 14:15:49 ipsec,debug,packet ip: dh_group = 1024-bit MODP group:2048-bit MODP group
May/28/2013 14:15:49 ipsec,debug,packet ip: prop#=1, prot-id=ISAKMP, spi-size=0, #trns=5
May/28/2013 14:15:49 ipsec,debug,packet ip: trns#=5, trns-id=IKE
May/28/2013 14:15:49 ipsec,debug,packet ip: type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC
May/28/2013 14:15:49 ipsec,debug,packet ip: type=Hash Algorithm, flag=0x8000, lorv=SHA
May/28/2013 14:15:49 ipsec,debug,packet ip: type=Group Description, flag=0x8000, lorv=1024-bit MODP group
May/28/2013 14:15:49 ipsec,debug,packet ip: type=Authentication Method, flag=0x8000, lorv=pre-shared key
May/28/2013 14:15:49 ipsec,debug,packet ip: type=Life Type, flag=0x8000, lorv=seconds
May/28/2013 14:15:49 ipsec,debug,packet ip: type=Life Duration, flag=0x0000, lorv=4
May/28/2013 14:15:49 ipsec,debug,packet ip: Compared: DB:Peer
May/28/2013 14:15:49 ipsec,debug,packet ip: (lifetime = 86400:28800)
May/28/2013 14:15:49 ipsec,debug,packet ip: (lifebyte = 0:0)
May/28/2013 14:15:49 ipsec,debug,packet ip: enctype = AES-CBC:3DES-CBC
May/28/2013 14:15:49 ipsec,debug,packet ip: (encklen = 128:0)
May/28/2013 14:15:49 ipsec,debug,packet ip: hashtype = MD5:SHA
May/28/2013 14:15:49 ipsec,debug,packet ip: authmethod = pre-shared key:pre-shared key
May/28/2013 14:15:49 ipsec,debug,packet ip: dh_group = 1024-bit MODP group:1024-bit MODP group
May/28/2013 14:15:49 ipsec,debug,packet ip: type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC
May/28/2013 14:15:49 ipsec,debug,packet ip: type=Key Length, flag=0x8000, lorv=256
May/28/2013 14:15:49 ipsec,debug,packet ip: type=Hash Algorithm, flag=0x8000, lorv=SHA
May/28/2013 14:15:49 ipsec,debug,packet ip: type=Group Description, flag=0x8000, lorv=2048-bit MODP group
May/28/2013 14:15:49 ipsec,debug,packet ip: type=Authentication Method, flag=0x8000, lorv=pre-shared key
May/28/2013 14:15:49 ipsec,debug,packet ip: type=Life Type, flag=0x8000, lorv=seconds
May/28/2013 14:15:49 ipsec,debug,packet ip: type=Life Duration, flag=0x0000, lorv=4
May/28/2013 14:15:49 ipsec,debug ip: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#3) = MD5:SHA
May/28/2013 14:15:49 ipsec,debug ip: rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#3) = 1024-bit MODP group:2048-bit MODP group
May/28/2013 14:15:49 ipsec,debug,packet ip: type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC
May/28/2013 14:15:49 ipsec,debug,packet ip: type=Hash Algorithm, flag=0x8000, lorv=SHA
May/28/2013 14:15:49 ipsec,debug,packet ip: type=Group Description, flag=0x8000, lorv=2048-bit MODP group
May/28/2013 14:15:49 ipsec,debug,packet ip: type=Authentication Method, flag=0x8000, lorv=pre-shared key
May/28/2013 14:15:49 ipsec,debug,packet ip: type=Life Type, flag=0x8000, lorv=seconds
May/28/2013 14:15:49 ipsec,debug,packet ip: type=Life Duration, flag=0x0000, lorv=4
May/28/2013 14:15:49 ipsec,debug ip: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#4) = AES-CBC:3DES-CBC
May/28/2013 14:15:49 ipsec,debug ip: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#4) = MD5:SHA
May/28/2013 14:15:49 ipsec,debug ip: rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#4) = 1024-bit MODP group:2048-bit MODP group
May/28/2013 14:15:49 ipsec,debug,packet ip: type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC
May/28/2013 14:15:49 ipsec,debug,packet ip: type=Hash Algorithm, flag=0x8000, lorv=SHA
May/28/2013 14:15:49 ipsec,debug,packet ip: type=Group Description, flag=0x8000, lorv=1024-bit MODP group
May/28/2013 14:15:49 ipsec,debug,packet ip: type=Authentication Method, flag=0x8000, lorv=pre-shared key
May/28/2013 14:15:49 ipsec,debug,packet ip: type=Life Type, flag=0x8000, lorv=seconds
May/28/2013 14:15:49 ipsec,debug,packet ip: type=Life Duration, flag=0x0000, lorv=4
May/28/2013 14:15:49 ipsec,debug ip: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#5) = AES-CBC:3DES-CBC
May/28/2013 14:15:49 ipsec,debug ip: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#5) = MD5:SHA
May/28/2013 14:15:49 ipsec,debug ip: no suitable proposal found.
May/28/2013 14:15:49 ipsec,debug ip: failed to get valid proposal.
Top
 
biomesh
Long time Member
Long time Member
Posts: 562
Joined: Fri Feb 10, 2012 8:25 pm

Re: L2tp/IPSEC performance blows?

Tue May 28, 2013 11:00 pm

Looks like you are missing a proposal.

Try something like the following:
Code: Select all
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=\
    aes-128 lifetime=30m name=default pfs-group=none
/ip ipsec peer
add address=0.0.0.0/0 auth-method=pre-shared-key dh-group=modp1024 disabled=no \
    dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=3des exchange-mode=\
    main-l2tp generate-policy=yes hash-algorithm=sha1 lifetime=1d \
    my-id-user-fqdn="" nat-traversal=yes port=500 secret=mypassphrase \
    send-initial-contact=yes
Top
 
User avatar
tomaskir
Trainer
Trainer
Posts: 1162
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: L2tp/IPSEC performance blows?

Wed May 29, 2013 1:46 am

Just to add to this, using aes-128 and md5 you can easily get 15mbit of IPSec encrypted traffic on a 750GL.
GRE over IPSec example here.
You do not have the required permissions to view the files attached to this post.
Top
 
littlebill
Member Candidate
Member Candidate
Topic Author
Posts: 234
Joined: Sat Apr 30, 2011 3:11 am

Re: L2tp/IPSEC performance blows?

Wed May 29, 2013 5:01 pm

can you provide your export?


mine is attached. i still can't get AES encyrpt to work throws the dh group error

i even built a lab x86 box and 2 vms and the results are the same as my 750

please help i feel its something stupid
Code: Select all
# may/29/2013 09:59:04 by RouterOS 5.25
# software id = KRQH-1FJV
#
/interface ethernet
set 0 arp=proxy-arp name=LAN
set 1 name=WAN
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128 pfs-group=none
/ip pool
add name=dhcp_pool1 ranges=192.168.88.2-192.168.88.254
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=LAN name=dhcp1
/ppp profile
set 1 dns-server=10.0.1.1 local-address=192.168.88.1 remote-address=\
    dhcp_pool1
/tool user-manager customer
add backup-allowed=yes disabled=no login=admin password="" \
    paypal-accept-pending=no paypal-allowed=no paypal-secure-response=no \
    permissions=owner signup-allowed=no time-zone=-00:00
/interface l2tp-server server
set enabled=yes
/interface pptp-server server
set enabled=yes
/ip address
add address=192.168.88.1/24 comment="default configuration" interface=LAN
/ip dhcp-client
add default-route-distance=0 disabled=no interface=WAN
/ip dhcp-server network
add address=192.168.88.0/24 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add chain=input dst-port=1723 in-interface=WAN protocol=tcp
add chain=input dst-port=500,1701,4500 in-interface=WAN protocol=udp
add chain=input connection-state=established in-interface=WAN
add chain=input connection-state=related in-interface=WAN
add chain=input comment=winbox dst-port=8291 in-interface=WAN protocol=tcp \
    src-port=""
add action=drop chain=input
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN
/ip ipsec peer
add enc-algorithm=aes-128 generate-policy=yes hash-algorithm=sha1 \
    nat-traversal=yes secret=1234
/ppp secret
add name=test password=test profile=default-encryption
/system gps
set set-system-time=no
/system lcd
set contrast=0 enabled=no port=parallel type=24x4
/system lcd page
set time disabled=yes display-time=5s
set resources disabled=yes display-time=5s
set uptime disabled=yes display-time=5s
set packets disabled=yes display-time=5s
set bits disabled=yes display-time=5s
set version disabled=yes display-time=5s
set identity disabled=yes display-time=5s
set WAN disabled=yes display-time=5s
set LAN disabled=yes display-time=5s
/system logging
add topics=ipsec
add topics=l2tp
Top
 
littlebill
Member Candidate
Member Candidate
Topic Author
Posts: 234
Joined: Sat Apr 30, 2011 3:11 am

Re: L2tp/IPSEC performance blows?

Wed May 29, 2013 5:32 pm

tried with 6.0 as well same error

someone throw me a bone....
Code: Select all
You do not have the required permissions to view the files attached to this post.
Top
 
User avatar
tomaskir
Trainer
Trainer
Posts: 1162
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: L2tp/IPSEC performance blows?

Wed May 29, 2013 5:52 pm

Watch the presentation in my sig.

Tweak the encryption and hashing algo's to suit your needs/speeds.
Top
 
littlebill
Member Candidate
Member Candidate
Topic Author
Posts: 234
Joined: Sat Apr 30, 2011 3:11 am

Re: L2tp/IPSEC performance blows?

Wed May 29, 2013 6:10 pm

i did, i see nothing different then what you did, and sha1 des3 works flawless, only when i change encryption does it not work

and i can't find the reason why

can u just take a look and see what you think
Top
 
biomesh
Long time Member
Long time Member
Posts: 562
Joined: Fri Feb 10, 2012 8:25 pm

Re: L2tp/IPSEC performance blows?

Wed May 29, 2013 7:14 pm

Change
Code: Select all
/ip ipsec peer
add enc-algorithm=aes-128 generate-policy=yes hash-algorithm=sha1 \
    nat-traversal=yes secret=1234
to
Code: Select all
/ip ipsec peer
add exchange-mode=main-l2tp enc-algorithm=3des generate-policy=yes hash-algorithm=sha1 \
    nat-traversal=yes secret=1234
This is only for phase I of the l2tp connection and will allow windows clients to connect.
Top
 
littlebill
Member Candidate
Member Candidate
Topic Author
Posts: 234
Joined: Sat Apr 30, 2011 3:11 am

Re: L2tp/IPSEC performance blows?

Wed May 29, 2013 7:34 pm

i dont want to use 3des, thats the point of this, the performance blows on that

windows also supports aes-128 sha1, by default which im being told has much better performance


i need this to work under aes 128, not 3des i already had that working
Top
 
biomesh
Long time Member
Long time Member
Posts: 562
Joined: Fri Feb 10, 2012 8:25 pm

Re: L2tp/IPSEC performance blows?

Wed May 29, 2013 8:04 pm

i dont want to use 3des, thats the point of this, the performance blows on that

windows also supports aes-128 sha1, by default which im being told has much better performance


i need this to work under aes 128, not 3des i already had that working
The phase I encryption is only for the keys being passed, not the data. If you want to use windows clients, they only support 3des on phase I.
Top
 
littlebill
Member Candidate
Member Candidate
Topic Author
Posts: 234
Joined: Sat Apr 30, 2011 3:11 am

Re: L2tp/IPSEC performance blows?

Wed May 29, 2013 8:29 pm

ok good to know

do you have a kb article or something that indicates that, i looked over the microsoft articles for a while and didn't see that mentioned
Top
 
User avatar
tomaskir
Trainer
Trainer
Posts: 1162
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: L2tp/IPSEC performance blows?

Wed May 29, 2013 9:19 pm

As mentioned before, for Phase 1, windows only supports 3des and sha1.

You have many options for Phase 2 however, and Windows will adapt to your phase 2 config.
Top
 
littlebill
Member Candidate
Member Candidate
Topic Author
Posts: 234
Joined: Sat Apr 30, 2011 3:11 am

Re: L2tp/IPSEC performance blows?

Fri May 31, 2013 3:59 am

i reconfigured with aes,

and it connects i was not able to use md5 in the proposal it never connected.

i got a boost, but performance still sucked on my 750, i was barely able to breake 100k on upload from client and barely 200k on download.

god knows why its not symmetrical, but at this point im tired of playing

my lab vm with dual core 3.0's can do over 100+mbit on ds3, so apparently my config isn't bad

oh well when i mentally can handle it i will come back and attempt it again at some point

thanks for the help
Top
 
Wyz4k
Member Candidate
Member Candidate
Posts: 240
Joined: Fri Jul 10, 2009 10:23 am

Re: L2tp/IPSEC performance blows?

Thu Jun 22, 2017 5:22 am

Yep, L2TP+IPSEC was almost unusable. From a basically synchronous line there developed a factor 100 difference between upload and download speed, which meant that when I pulled data from a remote site I only got 300bytes/second. PPTP did not show this performance penalty, but is no longer secure. I tried OpenVPN and it is almost as fast as PPTP, but more secure. So OpenVPN it is.
Top
Post Reply

Who is online

Users browsing this forum: deejay2 and 137 guests
  4. RouterOS
  5. General