Community discussions

 
User avatar
Eising
Member Candidate
Member Candidate
Topic Author
Posts: 272
Joined: Mon Oct 27, 2008 10:21 am
Location: Copenhagen, Denmark

ipsec hardware acceleration under RB1000

Wed May 12, 2010 2:07 pm

Hi,

Is there any specific parameters needed for the best ipsec performance on the RB1000 platform? For instance, what kind of cryptography is accelerated? All of them?
The road to hell is paved with good intentions.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5934
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: ipsec hardware acceleration under RB1000

Wed May 12, 2010 2:17 pm

You don't need any specific parameters. R1000 will automatically use HW encryption.
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: ipsec hardware acceleration under RB1000

Wed May 12, 2010 5:45 pm

Somewhat related: does it also use hardware acceleration for other cryptographic tasks, such as TLS?
 
he1ium
newbie
Posts: 36
Joined: Fri Aug 07, 2009 7:30 am

Re: ipsec hardware acceleration under RB1000

Thu May 13, 2010 1:49 am

Is there a theoretical limit for the number of concurrent connections on the RB1000 with the following setup -

SHA1/AES256 IPSec over an IPIP tunnel also using OSPF for routing. This is HUB and SPOKE setup where the RB1000 is the HUB, all other locations are SPOKE with 493AH routers.
 
User avatar
Eising
Member Candidate
Member Candidate
Topic Author
Posts: 272
Joined: Mon Oct 27, 2008 10:21 am
Location: Copenhagen, Denmark

Re: ipsec hardware acceleration under RB1000

Mon May 17, 2010 4:47 pm

Hmm, are you sure that there's no specific encryption algorithm that needs to be used with this? I have a 100Mbit/s internet connection but I can only get something like 2-3Mbit/s through IPSec.
I use AES-128 with SHA1 hashing.
I have 2% CPU load while testing, and I test using FTP.
The road to hell is paved with good intentions.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5934
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: ipsec hardware acceleration under RB1000

Tue May 18, 2010 7:24 am

AES is hardware accelerated, what device do you have on other side?
 
User avatar
Eising
Member Candidate
Member Candidate
Topic Author
Posts: 272
Joined: Mon Oct 27, 2008 10:21 am
Location: Copenhagen, Denmark

Re: ipsec hardware acceleration under RB1000

Tue May 18, 2010 8:56 am

A linux box running OpenSWAN. My own line at home is a 50Mbit/s fiber, and I'm running a VPN on that on my RB750, and it's running much, much better than this RB1000. It's the same config on the two boxes.
The road to hell is paved with good intentions.
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6283
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: ipsec hardware acceleration under RB1000

Tue May 18, 2010 1:53 pm

what version of RouterOS?

what encryption settings you have set up?

how much normal traffic you can push through that?
 
User avatar
Eising
Member Candidate
Member Candidate
Topic Author
Posts: 272
Joined: Mon Oct 27, 2008 10:21 am
Location: Copenhagen, Denmark

Re: ipsec hardware acceleration under RB1000

Tue May 18, 2010 3:12 pm

I've been working on this problem all day, and here is what I've gathered:
I'm running RouterOS 4.6 and have split-tunnelling with AES-128-sha1-modp1536 configured.
I can push something like 3.5MByte/s through this circuit if I don't use the IPSec tunnel.
My throughput through the ipsec tunnel is around 180KByte/s.
I've been sniffing on all the ends of the circuit that I have access to (the router, the outside before my concentrator and the inside network

When I analyse these pcap dumps, I can see that the ipsec packets arrive out of order, and I can see that they are in fact transmitted out of order on the RB1000!

So, somehow there's a bug on the RB1000 that causes the VPN traffic to be transmitted out of order.
The road to hell is paved with good intentions.
 
psamsig
Member Candidate
Member Candidate
Posts: 161
Joined: Sun Dec 06, 2009 1:36 pm
Location: Denmark

Re: ipsec hardware acceleration under RB1000

Sat Aug 21, 2010 1:24 pm

So, somehow there's a bug on the RB1000 that causes the VPN traffic to be transmitted out of order.
Did this ever get confirmed and/or resolved?
 
User avatar
Eising
Member Candidate
Member Candidate
Topic Author
Posts: 272
Joined: Mon Oct 27, 2008 10:21 am
Location: Copenhagen, Denmark

Re: ipsec hardware acceleration under RB1000

Thu Aug 26, 2010 4:31 pm

No, unfortunately not. It's still a problem, but I'll probably replace the boxes with something that I know works...
The road to hell is paved with good intentions.
 
wpeople
Member
Member
Posts: 352
Joined: Sat May 26, 2007 6:36 pm

Re: ipsec hardware acceleration under RB1000

Sat Apr 09, 2011 12:19 pm

Just for the archive:
we did some testing with the new RB1100AH (a pair of them).
In the first times, we tought, we need to turn on HW acceleration on something other fails, after we found NOT to use Mikrotik's btest, but we have to use iperf (or jperf with GUI).

With that, we can nicely push 200mbps tcp between a desktop and a (pretty old p4) notebook (after that, the notebook's cpu was the limit).
At 200mbps tcp thruput, the RB's CPU was ~50-60%, using AES-256, ESP with IPSEC.
 
Krikti
just joined
Posts: 1
Joined: Fri Nov 04, 2011 12:24 pm

Re: ipsec hardware acceleration under RB1000

Fri Nov 04, 2011 12:30 pm

I think the same thing that you don't need any specific parameters. R1000 will automatically use HW encryption. I Flight Systems

Who is online

Users browsing this forum: No registered users and 19 guests