Any RouterOS version above 7.15.3 (7.16.x and 7.17) sees critical performance issues. Affected are all TCP streams, most noticeable is performance drop while attempting SMB file operations. Wireskark sees multiple duplicated ACKs and retransmissions. Config (working on 7.15.3), GRE addressing not redacted.
Code: Select all
/interface/gre/export
/interface gre
add allow-fast-path=no local-address=172.16.64.21 name=gre-mdggdn remote-address=172.16.64.20
add allow-fast-path=no local-address=172.16.64.23 name=gre-mdgwaw remote-address=172.16.64.22
/ip/ipsec/export
/ip ipsec peer
add address=xxxx/32 exchange-mode=ike2 name=node-a send-initial-contact=no
add address=xxxx/32 exchange-mode=ike2 name=node-b
/ip ipsec policy group
add name=common
/ip ipsec profile
set [ find default=yes ] dh-group=ecp521 dpd-interval=30s dpd-maximum-failures=3 enc-algorithm=aes-256 hash-algorithm=sha512
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512 enc-algorithms=aes-256-cbc pfs-group=ecp521
/ip ipsec identity
add auth-method=digital-signature certificate=*redacted* generate-policy=port-strict match-by=\
certificate peer=node-b policy-template-group=common remote-certificate=*redacted*
add auth-method=digital-signature certificate=*redacted* match-by=certificate peer=node-a \
policy-template-group=common remote-certificate=*redacted*
/ip ipsec policy
add dst-address=172.16.64.20/32 level=unique peer=node-a protocol=gre src-address=172.16.64.21/32 tunnel=yes
add dst-address=172.16.64.22/32 level=unique peer=node-b protocol=gre src-address=172.16.64.23/32 tunnel=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN protocol=!gre