I am have built an IPSEC tunnel between a Mikrotik RB750gr3 and a pfSense. The pfSense version is 2.6.0 which is currently the latest.
Traffic is flowing OK in both directions, however it is very very slow. So slow in fact that even RDP and SSH is effected (Over RDP mouse clicks do nothing, typed characters in SSH take a looong time to show up). I have two P1s, one is IPv4 with 2 x P2s, another is IPv6 with 3 x P2s.
CPU usage looks OK (about 15% or so) and strangely, ICMP pings are not effected at all (3-6 ms across the tunnel). But any other protocol is so slow I can't even seem to get a connection (for e.g. if I try to drag and drop a file from an smb share, it just errors out and the copy won't even start). Any ideas on where I can start debugging this? My internet connection is PPPoE over VLAN 10 at the mikrotik end, and the internet access (via NAT or direct over IPv6) is working great.
Code: Select all
/ip ipsec peer
add address=123.123.123.123/32 exchange-mode=ike2 name=Tunnel_1_IPv4
add address=abcd:abcd:abcd:ff23::2/128 exchange-mode=ike2 name=Tunnel_2_IPv6
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 dpd-interval=10s dpd-maximum-failures=4 enc-algorithm=aes-128 hash-algorithm=sha256 prf-algorithm=sha256
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-gcm,aes-192-ctr,aes-128-gcm pfs-group=modp2048
/ip ipsec identity
add peer=Tunnel_1_IPv4
add peer=Tunnel_2_IPv6
/ip ipsec policy
add comment="IPV4 AHL" dst-address=10.3.10.0/24 peer=Tunnel_1_IPv4 src-address=10.2.10.0/24 tunnel=yes
add comment="IPv4 F_LANPRIV_2002" dst-address=172.16.2.0/24 peer=Tunnel_1_IPv4 src-address=10.2.10.0/24 tunnel=yes
add comment="IPv6 AHL" dst-address=abcd:abcd:abcd:fc02::/64 peer=Tunnel_2_IPv6 src-address=cdef:cdef:9d01:100::/64 tunnel=yes
add comment="IPv6 F_LANPRIV" dst-address=abcd:abcd:abcd:fc04::/64 peer=Tunnel_2_IPv6 src-address=cdef:cdef:9d01:100::/64 tunnel=yes
add comment="IPv6 F_LANPUB" dst-address=abcd:abcd:abcd:fc03::/64 peer=Tunnel_2_IPv6 src-address=cdef:cdef:9d01:100::/64 tunnel=yes
However, IPv4 is totally unusable still. Any insights welcome.
Update 2: Under pressure to get this working I have migrated the VPN from ipsec to wireguard.