Community discussions

MikroTik App
 
mkovacik
just joined
Topic Author
Posts: 1
Joined: Sun Nov 14, 2021 8:01 pm

IPSec setup and performance problems

Wed Nov 17, 2021 12:27 am

Hello everybody,
I would like to ask for help with my problems. I have two Mikrotiks (RB760iGS and RBD52G-5HacD2HnD) in two locations that are connected via site-to-site IPSec tunnel with network setup according to diagram bellow.
I'm now facing two problems with my setup:
  1. When I try to connect with Winbox from my PC to Mikrotik 1, I can login just fine, but no data can be retrieved from router and connection is terminated after little while. I have tried to clear cache but that didn't helped. Also connection via HTTPS and SSH works just fine.
  2. I have problem with data transfer performance via IPSec tunnel. When I try to get file from NAS 1 to my PC, transfer speed is horribly low (Site 1 has connectivity 1Gb/s down/up and Site 2 has 100/10 Mb/s down/up) with max around 30Mb/s, but when I try to download file from internet, I have no problem to get download speed around 80Mb/s. According to router spec, I should be able to get much better performance from IPSec tunnel.
For the comleteness I also attach both router configuration with only public IP addresses and secrets omitted.
Image
Mikrotik 1 configuration
# nov/16/2021 23:12:45 by RouterOS 6.49
# software id = DI5B-P61T
#
# model = RB760iGS
/interface bridge
add name=LAN-Jicinska
add disabled=yes name=Loopback
/interface ethernet
set [ find default-name=ether1 ] comment=ether1 name=WAN-Jicinska
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec peer
add address=site_ip_2/32 local-address=site_ip_1 name=PEER-Vysluni1
add disabled=yes name=PEER-Vysluni passive=yes send-initial-contact=no
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256 \
    hash-algorithm=sha256
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc \
    lifetime=1h pfs-group=modp2048
/ip pool
add name=DHCP_POOL-Jicinska ranges=192.168.10.20-192.168.10.50
/ip dhcp-server
add address-pool=DHCP_POOL-Jicinska disabled=no interface=LAN-Jicinska \
    lease-time=1d name=DHCP-Jicinska
/interface bridge port
add bridge=LAN-Jicinska interface=ether2
add bridge=LAN-Jicinska interface=ether3
add bridge=LAN-Jicinska interface=ether4
add bridge=LAN-Jicinska interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface l2tp-server server
set ipsec-secret="ipsec_secret" use-ipsec=required
/ip address
add address=192.168.10.1/25 interface=LAN-Jicinska network=192.168.10.0
add address=site_ip_1/26 interface=WAN-Jicinska network=site_network_1
add address=172.16.0.1 disabled=yes interface=Loopback network=172.16.0.1
/ip dhcp-server network
add address=192.168.10.0/25 gateway=192.168.10.1
/ip dns
set allow-remote-requests=yes servers=213.168.176.3
/ip firewall filter
add action=fasttrack-connection chain=forward connection-mark=!ipsec \
    connection-state=established,related
add action=accept chain=forward connection-state=established,related
add action=accept chain=forward in-interface=LAN-Jicinska out-interface=\
    WAN-Jicinska
add action=accept chain=input connection-state=established,related \
    dst-address=site_ip_1
add action=accept chain=input dst-address=site_ip_1 dst-port=\
    22,443,8291 in-interface=WAN-Jicinska protocol=tcp src-address=\
    site_ip_2
add action=accept chain=input dst-port=500,4500 in-interface=WAN-Jicinska \
    protocol=udp
add action=accept chain=input in-interface=WAN-Jicinska protocol=ipsec-esp
add action=accept chain=input in-interface=WAN-Jicinska protocol=ipsec-ah
add action=accept chain=input dst-address=192.168.10.1 dst-port=22,443,8291 \
    ipsec-policy=in,ipsec protocol=tcp src-address=192.168.10.128/25
add action=accept chain=forward dst-address=192.168.10.0/25 ipsec-policy=\
    in,ipsec src-address=192.168.10.128/25
add action=accept chain=forward dst-address=192.168.10.128/25 ipsec-policy=\
    out,ipsec src-address=192.168.10.0/25
add action=drop chain=input dst-port=53 in-interface=WAN-Jicinska protocol=\
    tcp
add action=drop chain=input dst-port=53 in-interface=WAN-Jicinska protocol=\
    udp
add action=drop chain=input in-interface=WAN-Jicinska log-prefix=DROP-INPUT
add action=drop chain=forward connection-state=invalid,new,untracked \
    in-interface=WAN-Jicinska log=yes log-prefix=DROP-RULE
/ip firewall mangle
add action=mark-connection chain=forward comment=\
    "mark ipsec connections to exclude them from fasttrack" ipsec-policy=\
    out,ipsec new-connection-mark=ipsec
add action=mark-connection chain=forward comment=\
    "mark ipsec connections to exclude them from fasttrack" ipsec-policy=\
    in,ipsec new-connection-mark=ipsec
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.10.0/25 src-address=\
    192.168.10.128/25
add action=accept chain=srcnat dst-address=192.168.10.128/25 src-address=\
    192.168.10.0/25
add action=masquerade chain=srcnat log-prefix=MASQ out-interface=WAN-Jicinska
/ip firewall raw
add action=notrack chain=prerouting disabled=yes dst-address=\
    192.168.10.128/25 src-address=192.168.10.0/25
add action=notrack chain=prerouting disabled=yes dst-address=192.168.10.0/25 \
    src-address=192.168.10.128/25
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip ipsec identity
add disabled=yes generate-policy=port-override peer=PEER-Vysluni secret=\
    "ipsec_secret"
add peer=PEER-Vysluni1 secret="ipsec_secret"
/ip ipsec policy
set 0 disabled=yes
add dst-address=192.168.10.128/25 level=unique peer=PEER-Vysluni1 \
    src-address=192.168.10.0/25 tunnel=yes
/ip route
add distance=1 gateway=site_gateway_1
add disabled=yes distance=1 dst-address=192.168.10.128/25 gateway=\
    LAN-Jicinska
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set www-ssl certificate=WWW-Jicnska disabled=no tls-version=only-1.2
set api disabled=yes
set api-ssl disabled=yes
/routing pim rp
add address=192.168.10.1
/system clock
set time-zone-name=Europe/Prague
/system identity
set name=RTR-Jicinska
/system logging
set 3 action=memory
/system ntp client
set enabled=yes primary-ntp=31.31.74.35 secondary-ntp=80.79.25.111
Mikrotik2 configuration
# nov/16/2021 23:13:47 by RouterOS 6.49
# software id = MEAK-U9X9
#
# model = RBD52G-5HacD2HnD
/interface bridge
add name=LAN-Vysluni
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country="czech republic" \
    disabled=no installation=indoor mode=ap-bridge ssid=Vysluni1011
set [ find default-name=wlan2 ] band=5ghz-a/n/ac country="czech republic" \
    disabled=no installation=indoor mode=ap-bridge ssid=Vysluni1011
/interface vlan
add interface=ether1 name=vlan-848 vlan-id=848
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan-848 max-mru=1492 \
    max-mtu=1492 name=WAN-Vysluni password=o2 user=o2
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" \
    mode=dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=\
    "wpa_key" wpa2-pre-shared-key="wpa_key"
/ip ipsec peer
add address=site_ip_1/32 local-address=site_ip_2 name=PEER-Jicinska
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256 \
    hash-algorithm=sha256
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc \
    lifetime=1h pfs-group=modp2048
/ip pool
add name=DHCP_POOL-Vysluni ranges=192.168.10.150-192.168.10.254
/ip dhcp-server
add address-pool=DHCP_POOL-Vysluni disabled=no interface=LAN-Vysluni \
    lease-time=1d name=dhcp1
/interface bridge port
add bridge=LAN-Vysluni interface=ether2
add bridge=LAN-Vysluni interface=ether3
add bridge=LAN-Vysluni interface=ether4
add bridge=LAN-Vysluni interface=ether5
add bridge=LAN-Vysluni interface=wlan1
add bridge=LAN-Vysluni interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip address
add address=192.168.10.129/25 interface=LAN-Vysluni network=192.168.10.128
/ip dhcp-server config
set store-leases-disk=1d
/ip dhcp-server network
add address=192.168.10.128/25 gateway=192.168.10.129
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall filter
add action=fasttrack-connection chain=forward connection-mark=!ipsec \
    connection-state=established,related
add action=accept chain=forward connection-state=established,related
add action=accept chain=forward in-interface=LAN-Vysluni out-interface=\
    WAN-Vysluni
add action=accept chain=input connection-state=established,related \
    in-interface=WAN-Vysluni log-prefix=INPUT-EXIST-DROP
add action=accept chain=input dst-port=443,8291 in-interface=WAN-Vysluni \
    protocol=tcp
add action=accept chain=input dst-port=500,4500 in-interface=WAN-Vysluni \
    protocol=udp
add action=accept chain=input in-interface=WAN-Vysluni protocol=ipsec-esp
add action=accept chain=input in-interface=WAN-Vysluni protocol=ipsec-ah
add action=accept chain=input dst-address=192.168.10.129 src-address=\
    192.168.10.0/25
add action=accept chain=forward dst-address=192.168.10.128/25 src-address=\
    192.168.10.0/25
add action=accept chain=forward disabled=yes dst-address=192.168.10.0/25 \
    src-address=192.168.10.128/25
add action=drop chain=input connection-state=invalid,new,untracked dst-port=\
    53 in-interface=WAN-Vysluni protocol=tcp
add action=drop chain=input connection-state=invalid,new,untracked dst-port=\
    53 in-interface=WAN-Vysluni protocol=udp
add action=drop chain=input connection-state=invalid,new,untracked \
    in-interface=WAN-Vysluni log-prefix=INPUT-DROP
add action=drop chain=forward connection-state=invalid,new,untracked \
    in-interface=WAN-Vysluni
/ip firewall mangle
add action=mark-connection chain=forward comment=\
    "mark ipsec connections to exclude them from fasttrack" ipsec-policy=\
    out,ipsec new-connection-mark=ipsec
add action=mark-connection chain=forward comment=\
    "mark ipsec connections to exclude them from fasttrack" ipsec-policy=\
    in,ipsec new-connection-mark=ipsec
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.10.128/25 src-address=\
    192.168.10.0/25
add action=accept chain=srcnat dst-address=192.168.10.0/25 src-address=\
    192.168.10.128/25
add action=masquerade chain=srcnat log-prefix=MASQ out-interface=WAN-Vysluni
/ip firewall raw
add action=notrack chain=prerouting disabled=yes dst-address=192.168.10.0/25 \
    src-address=192.168.10.128/25
add action=notrack chain=prerouting disabled=yes dst-address=\
    192.168.10.128/25 src-address=192.168.10.0/25
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip ipsec identity
add peer=PEER-Jicinska secret="ipsec_secret"
/ip ipsec policy
set 0 disabled=yes
add dst-address=192.168.10.0/25 level=unique peer=PEER-Jicinska src-address=\
    192.168.10.128/25 tunnel=yes
/ip route
add disabled=yes distance=1 dst-address=192.168.10.0/25 gateway=LAN-Vysluni
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Prague
/system identity
set name=RTR-Vysluni
/system ntp client
set enabled=yes primary-ntp=31.31.74.35 secondary-ntp=80.79.25.111
You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: Bing [Bot], blue, DanMos79, h1ghrise, jaclaz, pajapatak, youheng and 95 guests