Community discussions

MikroTik App
 
breakaway
just joined
Topic Author
Posts: 13
Joined: Sun May 10, 2015 2:31 pm

RB750gr3 on RouterOS 7.8 - IPSEC very slow

Wed Mar 15, 2023 12:55 pm

Hello Everyone

I am have built an IPSEC tunnel between a Mikrotik RB750gr3 and a pfSense. The pfSense version is 2.6.0 which is currently the latest.

Traffic is flowing OK in both directions, however it is very very slow. So slow in fact that even RDP and SSH is effected (Over RDP mouse clicks do nothing, typed characters in SSH take a looong time to show up). I have two P1s, one is IPv4 with 2 x P2s, another is IPv6 with 3 x P2s.

CPU usage looks OK (about 15% or so) and strangely, ICMP pings are not effected at all (3-6 ms across the tunnel). But any other protocol is so slow I can't even seem to get a connection (for e.g. if I try to drag and drop a file from an smb share, it just errors out and the copy won't even start). Any ideas on where I can start debugging this? My internet connection is PPPoE over VLAN 10 at the mikrotik end, and the internet access (via NAT or direct over IPv6) is working great.
/ip ipsec peer
add address=123.123.123.123/32 exchange-mode=ike2 name=Tunnel_1_IPv4
add address=abcd:abcd:abcd:ff23::2/128 exchange-mode=ike2 name=Tunnel_2_IPv6
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 dpd-interval=10s dpd-maximum-failures=4 enc-algorithm=aes-128 hash-algorithm=sha256 prf-algorithm=sha256
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-gcm,aes-192-ctr,aes-128-gcm pfs-group=modp2048
/ip ipsec identity
add peer=Tunnel_1_IPv4
add peer=Tunnel_2_IPv6
/ip ipsec policy
add comment="IPV4 AHL" dst-address=10.3.10.0/24 peer=Tunnel_1_IPv4 src-address=10.2.10.0/24 tunnel=yes
add comment="IPv4 F_LANPRIV_2002" dst-address=172.16.2.0/24 peer=Tunnel_1_IPv4 src-address=10.2.10.0/24 tunnel=yes
add comment="IPv6 AHL" dst-address=abcd:abcd:abcd:fc02::/64 peer=Tunnel_2_IPv6 src-address=cdef:cdef:9d01:100::/64 tunnel=yes
add comment="IPv6 F_LANPRIV" dst-address=abcd:abcd:abcd:fc04::/64 peer=Tunnel_2_IPv6 src-address=cdef:cdef:9d01:100::/64 tunnel=yes
add comment="IPv6 F_LANPUB" dst-address=abcd:abcd:abcd:fc03::/64 peer=Tunnel_2_IPv6 src-address=cdef:cdef:9d01:100::/64 tunnel=yes
Update: After rebooting the mikrotik and restarting the IPSEC service on the pfSense end, I have found that performance of the VPN for the IPv6 P1/P2 has improved considerably. It is still slower than what it used to be with my older pfsense <-> pfsense setup but I can live with it for now (eventually I will replace this setup w/ wireguard).

However, IPv4 is totally unusable still. Any insights welcome.

Update 2: Under pressure to get this working I have migrated the VPN from ipsec to wireguard.
Last edited by breakaway on Thu Mar 16, 2023 3:32 am, edited 3 times in total.
 
elbob2002
Member Candidate
Member Candidate
Posts: 252
Joined: Tue May 15, 2018 8:15 pm
Location: Ireland

Re: RB750gr3 on RouterOS 7.8 - IPSEC very slow

Fri Mar 17, 2023 12:49 pm

Looks like your RB750Gr3 might not have hardware suppored IPSEC.

From this table:

https://help.mikrotik.com/docs/display/ ... celeration

The MT7621A CPU only supports 3DES and AES-CBC accelerated encryption.
 
andriys
Forum Guru
Forum Guru
Posts: 1526
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: RB750gr3 on RouterOS 7.8 - IPSEC very slow

Fri Mar 17, 2023 11:17 pm

Hard to be sure without seeing the full config, but it feels like a PMTUD problem.

Who is online

Users browsing this forum: No registered users and 49 guests