Community discussions

 
essele
newbie
Topic Author
Posts: 28
Joined: Tue Jan 07, 2014 5:55 am

IPsec with no encryption ... why is the firewall involved?

Sat Jan 25, 2014 9:20 am

Hi,

I've been experimenting with various IPsec options with a RB951G, using v6.7.

For most of my traffic I really just need a kind of proxy, but I'm dealing with a nasty ISP that shapes all sorts of stuff, so I've finally settled on an unencrypted IPsec tunnel. I can get pretty good performance, close to the limits of my link out of both a Linux box running StrongSwan and very similar performance out of the RB951G. Roughly 80-90Mbps.

However ... when I look at the profiler, it's about 65% networking, 20% firewall, and the rest on ethernet etc. It's largely 0% idle during a high bandwidth transfer.

I'm concerned that the firewall number is so high ... I don't have any rules at all for the purposes of this testing, but I do need to do some address translation and a few others things when I set it up properly, plus the main link will be PPPoE on the router which handled somewhere else at the moment ... so I fear that it will not cope given the numbers at the moment.

Am I missing something? I know it needs to make a decision whether to use the IPsec path or not, but that shouldn't be more than a src/dst address compare ... surely that doesn't take 20% of the CPU??

Regards,

Lee.
 
User avatar
dasiu
Trainer
Trainer
Posts: 232
Joined: Fri Jan 30, 2009 11:41 am
Location: Reading, UK
Contact:

Re: IPsec with no encryption ... why is the firewall involve

Sun Jan 26, 2014 3:52 am

1. Your /ip firewall nat - is empty right now?
2. Do you use l2tp? It creates dynamic change-mss rules in /ip firewall mangle.
3. What if you disable connection tracking?
4. Check "print dynamic" in /ip firewall filter, nat and mangle - everything empty?
 
essele
newbie
Topic Author
Posts: 28
Joined: Tue Jan 07, 2014 5:55 am

Re: IPsec with no encryption ... why is the firewall involve

Sun Jan 26, 2014 5:11 pm

Hi dasiu,

I've been messing around with a different device and don't have the original one online to confirm everything you have suggested, I'll revalidate in the next day or so.

But to answer some of your questions...

1. /ip firewall nat -- had some disabled entries, but nothing enabled. I'm assuming disabled is as good as not there?
2. No, just a plain IPsec tunnel.
3. Tried disabling connection tracking ... didn't make any difference.
4. This one I'll need to check...

Regards,

Lee.

Who is online

Users browsing this forum: MSN [Bot] and 107 guests