Page 1 of 1

ipsec hardware acceleration under RB1000

Posted: Wed May 12, 2010 2:07 pm
by Eising
Hi,

Is there any specific parameters needed for the best ipsec performance on the RB1000 platform? For instance, what kind of cryptography is accelerated? All of them?

Re: ipsec hardware acceleration under RB1000

Posted: Wed May 12, 2010 2:17 pm
by mrz
You don't need any specific parameters. R1000 will automatically use HW encryption.

Re: ipsec hardware acceleration under RB1000

Posted: Wed May 12, 2010 5:45 pm
by fewi
Somewhat related: does it also use hardware acceleration for other cryptographic tasks, such as TLS?

Re: ipsec hardware acceleration under RB1000

Posted: Thu May 13, 2010 1:49 am
by he1ium
Is there a theoretical limit for the number of concurrent connections on the RB1000 with the following setup -

SHA1/AES256 IPSec over an IPIP tunnel also using OSPF for routing. This is HUB and SPOKE setup where the RB1000 is the HUB, all other locations are SPOKE with 493AH routers.

Re: ipsec hardware acceleration under RB1000

Posted: Mon May 17, 2010 4:47 pm
by Eising
Hmm, are you sure that there's no specific encryption algorithm that needs to be used with this? I have a 100Mbit/s internet connection but I can only get something like 2-3Mbit/s through IPSec.
I use AES-128 with SHA1 hashing.
I have 2% CPU load while testing, and I test using FTP.

Re: ipsec hardware acceleration under RB1000

Posted: Tue May 18, 2010 7:24 am
by mrz
AES is hardware accelerated, what device do you have on other side?

Re: ipsec hardware acceleration under RB1000

Posted: Tue May 18, 2010 8:56 am
by Eising
A linux box running OpenSWAN. My own line at home is a 50Mbit/s fiber, and I'm running a VPN on that on my RB750, and it's running much, much better than this RB1000. It's the same config on the two boxes.

Re: ipsec hardware acceleration under RB1000

Posted: Tue May 18, 2010 1:53 pm
by janisk
what version of RouterOS?

what encryption settings you have set up?

how much normal traffic you can push through that?

Re: ipsec hardware acceleration under RB1000

Posted: Tue May 18, 2010 3:12 pm
by Eising
I've been working on this problem all day, and here is what I've gathered:
I'm running RouterOS 4.6 and have split-tunnelling with AES-128-sha1-modp1536 configured.
I can push something like 3.5MByte/s through this circuit if I don't use the IPSec tunnel.
My throughput through the ipsec tunnel is around 180KByte/s.
I've been sniffing on all the ends of the circuit that I have access to (the router, the outside before my concentrator and the inside network

When I analyse these pcap dumps, I can see that the ipsec packets arrive out of order, and I can see that they are in fact transmitted out of order on the RB1000!

So, somehow there's a bug on the RB1000 that causes the VPN traffic to be transmitted out of order.

Re: ipsec hardware acceleration under RB1000

Posted: Sat Aug 21, 2010 1:24 pm
by psamsig
So, somehow there's a bug on the RB1000 that causes the VPN traffic to be transmitted out of order.
Did this ever get confirmed and/or resolved?

Re: ipsec hardware acceleration under RB1000

Posted: Thu Aug 26, 2010 4:31 pm
by Eising
No, unfortunately not. It's still a problem, but I'll probably replace the boxes with something that I know works...

Re: ipsec hardware acceleration under RB1000

Posted: Sat Apr 09, 2011 12:19 pm
by wpeople
Just for the archive:
we did some testing with the new RB1100AH (a pair of them).
In the first times, we tought, we need to turn on HW acceleration on something other fails, after we found NOT to use Mikrotik's btest, but we have to use iperf (or jperf with GUI).

With that, we can nicely push 200mbps tcp between a desktop and a (pretty old p4) notebook (after that, the notebook's cpu was the limit).
At 200mbps tcp thruput, the RB's CPU was ~50-60%, using AES-256, ESP with IPSEC.

Re: ipsec hardware acceleration under RB1000

Posted: Fri Nov 04, 2011 12:30 pm
by Krikti
I think the same thing that you don't need any specific parameters. R1000 will automatically use HW encryption. I Flight Systems