I have been trying to setup a high speed vpn on CCR1016's.

So far I notice that SSTP is only able to pass just over 40Mb/s in SSTP.

Does anyone know the highest performance VPN method in Mikrotik?

After looking around the web I wish Mikrotik supported
http://www.softether.org/ - it can go over 900Mbps in VPN and its open source.

Try look on the IPsec. We have many 100 Mbps GRE/IPsec tunnels between RB1100AH/AHx2 routers without problems. They are limited with 100 Mbps Ethernet paths (if I remember the GRE/IPsec tunnel between two RB1100AHx2 runs around 250 Mbps on the 1 Gbps network with AES256/SHA1 proposal).
There is hardware encryption support for IPsec on the CCR routers:

SSTP can do more than 40Mbps especially on CCR.
Also ipsec on CCR can encrypt/decrypt up to 1.3Gbps on a single tunnel.

We have a 100mbps connection to the internet.
We are using a CCR1016.
We did a bandwidth test with TCP across the current SSTP tunnel and can only achieve about 40Mbps.

We are going to be having our remote office connect over this link and access internet through the tunnel.

Do you recommend upgrading to 6.8 and using GRE/Ipsec with hardware encryption for the best speeds?

Thanks,

Robert

@mrz

Wat is the maximum speed the RB1100AHx2 can do with ipsec?
And also at what Encr. Algorithms do we get the best speed? Is it AES-cbc 128 or maybe AES-gcm 256 or ...?

We are using a lot of ipsec tunnels connected from CCR1036 to RB100AHx2 and we'd like to optimize the ipsec speed.
Thank you in advance.

How have you tested the performance?

What are the max speeds on EOIP?

SSTP can do more than 40Mbps especially on CCR.
Also ipsec on CCR can encrypt/decrypt up to 1.3Gbps on a single tunnel.

What is the Proper setup on CCR for a GRE tunnel with IPSEC to acheive these speeds?
We just setup this and do not see anywhere near the speeds.

SSTP can do more than 40Mbps especially on CCR.
Also ipsec on CCR can encrypt/decrypt up to 1.3Gbps on a single tunnel.

Yeah right. Not in any of my testing with sstp, openvpn, gre/IPSec, l2tp/IPSec. Support told me that's the way it is and don't expect it to get better. Rb1100ahx2 outperforms ccr 1036 by a factor of 10.

On CCR1036 gre over ipsec can push 800Mbps full duplex.

Setup:
TG1---- CCR1----(ipsec/gre)---CCR2----TG2

CCR1 and CCR2 routers are CCR1036 running gre over ipsec (aes128 cbc)
TG1 and TG2 -- two CCR1009 routers runnning traffic genearator.

The same test on CCR1009 was a bit slower 400Mbps full duplex.


GCM is not hardware encrypted, so in this case you can get max 80Mbps gre/ipsec traffic on CCR1009.

Also if you push too much traffic to crypto driver it will significantly decrease performance because of OOO packets.

Support only got 190mbit from router to router (IE: Not forwarding). I, (And others on the forum) don't see near that performance. I can only get about 20-25mbit full duplex between a CCR1036 and RB1100AHx2 using IPERF TCP, single connection with a 1400MTU GRE tunnel, a few mangle rules and a few queues in queue tree. Connnection tracking off. Same setup replacing the CCR with an RB1100AHx2 nets me 200+Mbit full duplex. If I remove the queues and mangle rules, I get up to around 50mbit full duplex.

If I disable the IPSEC policy on both ends, I get about 400mbit full duplex.

If I don't use GRE and use IPSEC in tunnel mode, I get nearly 400mbit full duplex. But, I can't do this as I need to run PIM, OSPF, and MPLS.

If I run the test using bandwidth test from router to router, I get about 230mbit 1 way (With no mangle or queues) using default 20 connections. If I source the bandwidth test from another CCR on the other side of the CCR doing the encryption, it drops to about 150mbit 1 way.

If I run the test using bandwidth test with 1 TCP connection from router to router, I only get about 100mbit. If I source the bandwidth test from another CCR on the other side of the CCR doing the encryption, it drops to about 50mbit.

So.. In summary. The CCR can only forward a single TCP connection over GRE with ipsec encryption at about 50mbit aggregate throughput. The CCR performance seems to suffer GREATLY when forwarding traffic arriving through an IPSEC encrypted GRE tunnel. Performance is reasonable when not FORWARDING across the routers, but that doesn't really do anyone any good.

Performance seems to drop another 30%+ if you use the queue tree and mangle rules, or even simple queues.

****Show me a functional lab of setup of 2 PCs data being routed through a RB1100AHx2 and a CCR 1036 over a GRE/IPSEC tunnel that runs 800mbit on a single TCP stream. Heck, even multiple TCP streams.****

EDIT: I was using AES128-CBC.

How much do tagged vlans impact the performance of the CCR?

GCM is not hardware encrypted, so in this case you can get max 80Mbps gre/ipsec traffic on CCR1009.

Will GCM be hardware-encrypted in future software?

Not true.

Support provided figure was rough estimate by running bw test on the same router just to show that it is possible to get more that you are saying.


The same setup instead of stateless traffic generator, bw test with single tcp connection

[admin@Board_15 /ip address> /tool bandwidth-test 172.16.0.2 protocol=tcp tcp-conn
ection-count=1
status: running
duration: 20s
rx-current: 229.8Mbps


And this is because on tester router core on which BW test is running is maxed out, not because DUT cannot handle more.

Increase connection count to 60

[admin@Board_151] /ip address> /tool bandwidth-test 172.16.0.2 protocol=tcp tcp-co
nnection-count=60
status: running
duration: 23s
rx-current: 344.3Mbps
rx-10-second-average: 353.3Mbps
rx-total-average: 365.8Mbps
random-data: no
direction: receive


Again in this test gre/ipsec tunnel is between two CCR1036.

You said 800mbit, not 229mbit or 353mbit.

PS: You said 800mbit full duplex... I see 229mbit/353mbit 1/2 duplex. I bet if you did them both ways at the same time, the results would be approximately 1/2.

read again .. 800Mbps full duplex is with traffic generator not TCP.

TCP will be always slower.

GCM is not hardware encrypted, so in this case you can get max 80Mbps gre/ipsec traffic on CCR1009.

Will GCM be hardware-encrypted in future software?

Currently no.

I just did a UDP test with 10 streams.. I got 800mbit.. with 20% packet loss..

Transmit only.

I just did a UDP test with 10 streams.. I got 800mbit.. with 20% packet loss..

Transmit only.

Yeah, same here Sometimes the packet loss is even worse (like 80-95%) depending on test parameters. All of which are virtually zero without encryption enabled.

GCM is not hardware encrypted, so in this case you can get max 80Mbps gre/ipsec traffic on CCR1009.

Will GCM be hardware-encrypted in future software?

Currently no.

Why?

I'm suprised to read the claimed IPsec VPN rates achievable on the RB2011UiAS-2HnD...
Is it maybe only achievable in some specific configurations that happen to be hardware-accelerated?

When I configure a GRE tunnel with IPsec (by setting the IPsec secret in the GRE tunnel config) on my RB2011UiAS-2HnD
I get 100% CPU usage at about 20 Mbit/s outgoing traffic.
This is on a PPPoE internet connection, probably that matters too.

The default config generated from that tunnel setup uses ESP, 3des or aes-128, and sha1.
In this setup the peers agree to use aes-cbc.
I created my own IPsec profile and peer that uses AH instead, and it performs much better.

Is aes hardware accelerated on the RB2011UiAS-2HnD?
Is this kind of performance typical or have I likely made some error that severely affects performance?
Yesterday I made a feature request to offer an ESP/AH selection option in that "easy IPsec" setup within the
tunnel interfaces so it is easier to optimize, but when 200Mbit+ performance with ESP is achievable that is
not required.

Where do you see in this topic mentioning RB2011? This board has slow mips CPU and 20Mbps Ipsec traffic is typical throughput that you can get.

HW acceleration is supported on boards listed in the manual
http://wiki.mikrotik.com/wiki/Manual:IP ... encryption

Where do you see in this topic mentioning RB2011?

In the article from Majklik at the top of the page. Ok, I now see that RB2011AH is quite a different thing.
Confusing those MikroTik type numbers...

Anyway, with AH only it works much better. In many circumstances where one is not really worrying about eavesdroppers
AH is perfectly fine to get secure tunnels without insertion of traffic by hackers.

HW acceleration is supported on boards listed in the manual
http://wiki.mikrotik.com/wiki/Manual:IP ... encryption

Your link does not contain RB3011.
RB3011 do not have HW encryption???

Publicly available material about RB3011 CPU says it has crypto acceleration. Either public info is wrong or Mikrotik have chosen not to implement it at this point. You have to assume Mikrotik would implement it if they were able to.

RouterOS v6 does not have driver to support HW acceleration of RB3011. Most likely ROS v7 will have it.

RouterOS v6 does not have driver to support HW acceleration of RB3011. Most likely ROS v7 will have it.

Do you have info about ROS v7 release date? (+-month)