Community discussions

MikroTik App
 
propagandhi1983
just joined
Topic Author
Posts: 6
Joined: Tue Feb 04, 2014 1:36 pm

IPSEC/EOIP File Transfer issue

Tue Feb 04, 2014 1:47 pm

G'day I am not 100% sure how to explain the issue I am having, however I have 3 sites on 80Mbps fibre connections.

I am running ipsec in transport mode between the sites and EOIP tunnels on top, with OSPF routing.

Between these 80MB sites file transfers etc are all very fast.

There are some existing managed networks behind these routers at each site running in parallel at the moment until they are replaced. When I do file transfers that traverse these routers I am lucky to get 100KB/s file transfers at best.

To explain a little better, lets say we have 192.168.0.0/24, 192.168.1.0/24 and 192.168.2.0/24 at the three sites on EOIP/ipsec mikrotik to mikrotik.

Behind these sites there is 10.0.0.0/24, 10.0.1.0/24 and 10.0.2.0/24. These are all pre-existing 10Mbps connections.

File transfers between all 192.X subnets (80Mbps) are flawless. Any file transfer between the 192.x subnet and the 10.x subnet is painfully slow. As an example an 8MB file takes over 6 minutes to transfer. The average speed is approximately 100Kbps when transferring from the 10.x subnet to the 192 subnets.

The 10.x subnet is managed cisco router infrastructure, so I have no control over those routers.

I have tried adjusting the MTU for traffic between the two subnets, and also tried setting the CLEAR DF options.

If anyone could advise where I could be going wrong here that would be most appreciated.
 
User avatar
AnRkey
Member Candidate
Member Candidate
Posts: 119
Joined: Tue Sep 15, 2009 6:01 pm

Re: IPSEC/EOIP File Transfer issue

Wed Feb 05, 2014 3:46 pm

This sounds like an MTU problem.

Check the L2TP connection to see if the Max MTU is low enough.

You can do a ping test across the link from Windows with the following flags set.

ping -4 -f 192.168.0.1

ping /? for more info.

The -f part in the ping tells it not to allow fragmenting.

If this test shows that the packets are being fragmented, then your MTU is wrong. Most of the time this is because you are connecting to the internet via a tunnel like pppoe and then using l2tp over the first tunnel too. The second tunnel might need lower MTUs to work. In your case, it sounds like EoIP over L2TP over PPPOE.

Since EoIP does not have a Max MTU to set, your issue is lower down, on the L2TP and or PPPOE if you have that layer.

Let me know if this helps.
MTCNA
 
propagandhi1983
just joined
Topic Author
Posts: 6
Joined: Tue Feb 04, 2014 1:36 pm

Re: IPSEC/EOIP File Transfer issue

Thu Feb 06, 2014 2:31 am

I've done some further testing.

Strangely enough if i completely disable ipsec encryption, transfer speeds are as expected.

In fact with ipsec active and with CCR1016-12 at each site and AES-128 encryption the very best transfer speed i was able to achieve was 20Mbps and we have 80Mbps links.

Is there any way to improve the ipsec performance/throughput or any other suggestions to securely link these sites with good throughput?
 
propagandhi1983
just joined
Topic Author
Posts: 6
Joined: Tue Feb 04, 2014 1:36 pm

Re: IPSEC/EOIP File Transfer issue

Thu Feb 06, 2014 3:41 am

Thankyou also for taking the time to respond.

I was reading as well some strategies for speeding up IPSEC but in relation to the RB1100 series

http://wiki.mikrotik.com/wiki/Manual:IP/IPsec

Do you know of any particular strategies specific to the cloud core series?

This sounds like an MTU problem.

Check the L2TP connection to see if the Max MTU is low enough.

You can do a ping test across the link from Windows with the following flags set.

ping -4 -f 192.168.0.1

ping /? for more info.

The -f part in the ping tells it not to allow fragmenting.

If this test shows that the packets are being fragmented, then your MTU is wrong. Most of the time this is because you are connecting to the internet via a tunnel like pppoe and then using l2tp over the first tunnel too. The second tunnel might need lower MTUs to work. In your case, it sounds like EoIP over L2TP over PPPOE.

Since EoIP does not have a Max MTU to set, your issue is lower down, on the L2TP and or PPPOE if you have that layer.

Let me know if this helps.
 
User avatar
AnRkey
Member Candidate
Member Candidate
Posts: 119
Joined: Tue Sep 15, 2009 6:01 pm

Re: IPSEC/EOIP File Transfer issue

Thu Feb 06, 2014 11:50 am

No I don't know of any speed up tips. Mostly, your configuration of the device will dictate how fast it is. A config that puts the router under load will always be bad.

Did you look in to the MTU problem?
MTCNA
 
propagandhi1983
just joined
Topic Author
Posts: 6
Joined: Tue Feb 04, 2014 1:36 pm

Re: IPSEC/EOIP File Transfer issue

Thu Feb 06, 2014 1:45 pm

No I don't know of any speed up tips. Mostly, your configuration of the device will dictate how fast it is. A config that puts the router under load will always be bad.

Did you look in to the MTU problem?

I have tried with your suggestion and the mtupath utility (i know its doing the same thing as well), to discover the correct mtu, and have also set the mtu as low as 1300. It did not make any difference in my case, however immediately after turning ipsec off the file transfers were excellent again.

I am using aes-128 with md5 authentication for ipsec in transport mode. On top of that I run the EOIP tunnels. I've tried using L2TP and adjusting the mtu of the L2TP interface and the issue remains. It seems as though ipsec is the culprit but of course I could be wrong.

I am running 6.9 also.

If you have any other suggestions I'd be happy to try anything at this point ;)
 
User avatar
AnRkey
Member Candidate
Member Candidate
Posts: 119
Joined: Tue Sep 15, 2009 6:01 pm

Re: IPSEC/EOIP File Transfer issue

Thu Feb 06, 2014 2:38 pm

It could very well be a bug. I don't have time to set it up here in my office to confirm, but I do think that you have a good enough reason to contact MT support directly over this issue.
MTCNA

Who is online

Users browsing this forum: dioeyandika and 88 guests