I am having some trouble obtaining expected throughput on a link and was hoping someone could point me in the right direction.
I have a RB1100AHx4 and RB3011 connected with ipsec (aes-128 cbc) over the internet.
The RB1100AHx4 is on a 1gb line and the RB3011 on a 500mb line. Internet connections both test at that speed.
However when I use the Bandwidth Test tool to test bandwidth between routers (from the RB1100AHx4) I only get 160Mbps send and 240Mbps receive.
On transmitting to the RB3011 its CPU usage shows 50% (so using 100% of one core) with the "networking" process using 40%
If I receive from the RB3011 its CPU usage shows 100% (but it is 50% used by btest).
No firewall rules whatsoever. I have tried adding fasttrack but I don't think it will make a difference here as there is no forwarding applied.
Initially I tried to build a GRE tunnel to route traffic between sites but removed that because the performance was just too slow.
If anyone can suggest something I can try, I'd appreciate it
Config as follow:
RB3011:
Code: Select all
/interface ethernet
set [ find default-name=ether10 ] mtu=1400
/ip ipsec mode-config
add name=ike2-gre responder=no
/ip ipsec policy group
add name=ike2-gre
/ip ipsec profile
add dh-group=ecp256,modp2048,modp1024 enc-algorithm=aes-128 name=ike2-gre
/ip ipsec peer
add address=yadayadayada exchange-mode=ike2 name=p1.ez profile=ike2-gre
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-128-cbc name=ike2-gre pfs-group=none
/ip address
add address=10.10.10.15/24 interface=ether10 network=10.10.10.0
/ip dns
set servers=10.10.10.1,10.10.10.2
/ip ipsec identity
add generate-policy=port-strict mode-config=ike2-gre peer=p1.ez policy-template-group=ike2-gre
/ip ipsec policy
add dst-address=192.168.99.0/24 group=ike2-gre proposal=ike2-gre src-address=192.168.99.0/24 template=yes
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=10.10.10.199 routing-table=main suppress-hw-offload=no
Code: Select all
/interface ethernet
set [ find default-name=ether2 ] mtu=1400
/ip ipsec policy group
add name=ike2-gre
/ip ipsec profile
add dh-group=ecp256,modp2048,modp1024 enc-algorithm=aes-128 name=ike2
/ip ipsec peer
add exchange-mode=ike2 name=ike2 passive=yes profile=ike2
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-128-cbc name=ike2-gre pfs-group=none
/ip pool
add name=pool1 ranges=192.168.99.2
/ip ipsec mode-config
add address-pool=pool1 name=ike2-gre split-include=192.168.99.1/32 system-dns=no
/ip address
add address=192.168.99.1/24 interface=ether2 network=192.168.99.0
/ip dhcp-client
add interface=ether1
/ip ipsec identity
add generate-policy=port-strict mode-config=ike2-gre peer=ike2 policy-template-group=ike2-gre
/ip ipsec policy
add dst-address=192.168.99.2/32 group=ike2-gre proposal=ike2-gre src-address=192.168.99.0/24 template=yes