Hello everyone!
I have established IPsec Xauth tunnel btw Fortigate and Mikrotik Hex (v6.48.6) over an Internet connection.
I haved noticed that there is 4 - 10% packet loss (with default 56 bytes packet size, with bigger packets like 1000bytes, it is even worse) when I ping any host through the tunnel, in any direction.
There's no packet loss outside the tunnel (0% packet loss when i ping remote public IP).
I do not see any cpu issue, its always around 0-3%.
Topology:
Local LAN ---> Mikrotik ---- Internet ---- Fortigate <--- RemoteLAN
My config on mikrotik side:
/ip ipsec peer
add address=201.xxx.xxx.2/32 exchange-mode=aggressive name=mypeer
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 dpd-interval=disable-dpd enc-algorithm=aes-128 lifetime=8h
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip ipsec identity
add auth-method=pre-shared-key-xauth generate-policy=no mode-config=request-only my-id=key-id:vpn-xxx password=mypass peer=mypeer remote-id=ignore secret=mysecret username=myusername
/ip ipsec policy
add dst-address=192.168.37.5/32 peer=mypeersrc-address=192.168.150.0/24 tunnel=yes
add dst-address=10.0.3.20/32 peer=mypeer src-address=192.168.150.0/24 tunnel=yes
add dst-address=192.168.35.0/24 peer=mypeer src-address=192.168.150.0/24 tunnel=yes
ip firewall filter
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
1 chain=input action=accept src-address=201.XXX.XXX.2 in-interface=ether2 - fibertel log=no log-prefix="" comment="remote ipsec peer"
2 chain=input action=accept protocol=tcp src-address=200.XXX.XXX.100/24 in-interface=ether2 dst-port=8291 log=no log-prefix="" comment="access winbox from internet"
3 chain=input action=accept protocol=tcp src-address=192.168.35.0/24 in-interface=ether2 dst-port=8291 log=no log-prefix="" comment="allow winbox management from remote lan"
4 chain=input action=accept protocol=tcp src-address=192.168.35.0/24 in-interface=ether2 dst-port=22 log=no log-prefix="" comment="allow ssh management from remote lan"
5 chain=forward action=accept src-address-list=vpn-ipsec log=no log-prefix=""
6 chain=forward action=accept dst-address-list=vpn-ipsec log=no log-prefix=""
7 ;;; defconf: accept in ipsec policy
chain=forward action=accept ipsec-policy=in,ipsec
8 ;;; defconf: accept out ipsec policy
chain=forward action=accept ipsec-policy=out,ipsec
Please tell me if i can share with you any test or configuration to solve this issue.
Thank you.
Ramiro.