I'm wondering if I have setup my hEX S the right way for maximum IKEv2 IPSEC throughput. I think I'm doing something wrong to achieve the right hardware offload.
This is my situation:
- 1Gbps fiber on vlan6 with PPPoE, I can reach this speed with minimum CPU load for example when using usenet.
- I've configured the IKEv2 VPN for usage on my iPhone and I send all traffic through the tunnel.
Current test result:
- iPhone connected to my WiFi network, using the speedtest.net app without the VPN: 470Mbit down / 464Mbit up.
- iPhone connected to my WiFi network, using the speedtest.net app with the VPN: 85Mbit down / 123Mbit up.
- During the speedtest with the VPN, cpu0 hits 100%, and cpu3 50%.
- The profile tool shows the top process networking: 20.3 and firewall: 13.2.
Can someone help me correct my configuration, or assure me this is to be expected from this little box
Thanks in advance!
The installed SA's:
Code: Select all
[RouterOS] > /ip/ipsec/installed-sa/print
Flags: S - SEEN-TRAFFIC; H - HW-AEAD; E - ESP
Columns: SPI, STATE, SRC-ADDRESS, DST-ADDRESS, AUTH-ALGORITHM, ENC-ALGORITHM, ENC-KEY-SIZE
# SPI STATE SRC-ADDRESS DST-ADDRESS AUTH-ALGORITHM ENC-ALGORITHM ENC-KEY-SIZE
0 SHE 0xE4571BE mature 192.168.5.183 192.168.5.254 sha1 aes-cbc 128
1 SHE 0x601F063 mature 192.168.5.254 192.168.5.183 sha1 aes-cbc 128
My full configuration export:
Code: Select all
# mar/17/2023 20:42:33 by RouterOS 7.8
# software id = xxxx-xxxx
#
# model = RB760iGS
# serial number = xxxxxx
/interface bridge
add admin-mac=18:FD:74:xx:xx:xx auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] disabled=yes
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=sfp1 ] auto-negotiation=no
/interface vlan
add interface=sfp1 name=sfp1.6 vlan-id=6
/interface pppoe-client
add add-default-route=yes allow=pap,chap disabled=no interface=sfp1.6 max-mru=1500 max-mtu=1500 name=kpn use-peer-dns=yes user=kpn
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec policy group
add name=vpn.<domain>.nl
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256
add dh-group=modp1024 enc-algorithm=aes-128 name=vpn.<domain>.nl
/ip ipsec peer
add exchange-mode=ike2 name=vpn.<domain>.nl passive=yes profile=vpn.<domain>.nl
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 disabled=yes enc-algorithms=aes-256-cbc pfs-group=none
add enc-algorithms=aes-128-cbc name=vpn.<domain>.nl pfs-group=none
/ip pool
add name=default-dhcp ranges=192.168.5.100-192.168.5.200
add name=ikev2-pool ranges=100.64.3.10-100.64.3.20
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/ip ipsec mode-config
add address-pool=ikev2-pool address-prefix-length=32 name=vpn.<domain>.nl split-include=0.0.0.0/0 static-dns=192.168.5.242 system-dns=no
/port
set 0 name=serial0
/ppp profile
set *0 local-address=100.64.3.1 only-one=yes remote-address=ikev2-pool use-compression=yes use-encryption=required use-mpls=no use-upnp=no
/system logging action
set 3 remote=192.168.5.247 src-address=192.168.5.254
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=none
/ipv6 settings
set max-neighbor-entries=8192
/interface l2tp-server server
set default-profile=default use-ipsec=required
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=192.168.5.254/24 interface=bridge network=192.168.5.0
add address=100.64.3.1/24 interface=bridge network=100.64.3.0
/ip cloud
set update-time=no
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.5.0/24 comment=defconf dns-server=192.168.5.242 gateway=192.168.5.254
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=100.64.1.0/24 comment=gns3-management list=remote_ipsec_networks
add address=100.64.2.0/24 comment=gns3-opwekking list=remote_ipsec_networks
add address=172.16.18.0/24 comment=gns3-management list=remote_ipsec_networks
add address=100.64.3.0/24 list=remote_ipsec_networks
/ip firewall filter
add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=fasttrack connection-mark=!ipsec connection-state=established,related hw-offload=yes
add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="accept ipsec-esp" in-interface=kpn protocol=ipsec-esp
add action=accept chain=input comment="accept ipsec-nat-t" dst-port=500,4500,1701 in-interface=kpn protocol=udp
add action=accept chain=input comment="accept ikev2 vpn clients" ipsec-policy=in,ipsec src-address=100.64.3.0/24
add action=drop chain=input comment="drop invalid" connection-state=invalid log=yes log-prefix=input-drop-invalid
add action=drop chain=input comment="drop all !LAN" in-interface-list=!LAN
add action=accept chain=forward comment="accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid log-prefix=ipv4-drop-invalid
add action=drop chain=forward comment="drop all from kpn not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=kpn
/ip firewall nat
add action=masquerade chain=srcnat comment="Masquerade WAN" ipsec-policy=out,none out-interface=kpn
add action=dst-nat chain=dstnat comment="NAS - Email" dst-address=<public_wan_ip> dst-port=25,587,993 in-interface=kpn protocol=tcp to-addresses=192.168.5.252
add action=dst-nat chain=dstnat comment="K3S - Nginx" dst-address=<public_wan_ip> dst-port=80,443 in-interface=kpn protocol=tcp to-addresses=192.168.5.241
add action=dst-nat chain=dstnat comment="K3S - Plex" dst-address=<public_wan_ip> dst-port=32400 in-interface=kpn protocol=tcp to-addresses=192.168.5.244
add action=dst-nat chain=dstnat comment="K3S - Unifi controller" dst-address=<public_wan_ip> dst-port=8080 in-interface=kpn protocol=tcp to-addresses=192.168.5.243
add action=dst-nat chain=dstnat comment="K3S - Unifi STUN" dst-address=<public_wan_ip> dst-port=3478 in-interface=kpn protocol=udp to-addresses=192.168.5.243
/ip ipsec identity
add auth-method=digital-signature certificate=vpn.<domain>.nl comment=<user>@iphone generate-policy=port-strict match-by=certificate mode-config=vpn.<domain>.nl peer=vpn.<domain>.nl \
policy-template-group=vpn.<domain>.nl remote-certificate=<user>@vpn.<domain>.nl remote-id=user-fqdn:<user>@vpn.<domain>.nl
/ip ipsec policy
set 0 disabled=yes
add comment="IKEv2 vpn.<domain>.nl" dst-address=100.64.3.0/24 group=vpn.<domain>.nl proposal=vpn.<domain>.nl src-address=0.0.0.0/0 template=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.5.0/24
set ssh address=192.168.5.0/24
set api disabled=yes
set winbox disabled=yes
set api-ssl disabled=yes
/ip ssh
set host-key-size=4096 strong-crypto=yes
/ipv6 address
add address=::1 advertise=no from-pool=kpn-ipv6 interface=bridge
add address=::1 from-pool=kpn-ipv6 interface=*B
/ipv6 dhcp-client
add interface=kpn pool-name=kpn-ipv6 request=prefix
/ipv6 firewall address-list
add address=fe80::/16 list=ipv6_trusted
add address=2a02:xxxx:xxxx::/48 list=ipv6_trusted
add address=ff02::/16 comment=multicast list=ipv6_trusted
/ipv6 firewall filter
add action=accept chain=input comment="accept established and related" connection-state=established,related
add action=accept chain=input comment="accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/16
add action=drop chain=input comment="drop link local from internet" in-interface=kpn src-address=fe80::/16
add action=accept chain=input comment="accept ipv6_trusted" src-address-list=ipv6_trusted
add action=drop chain=input comment="default deny"
add action=accept chain=forward comment="accept established and related" connection-state=established,related
add action=drop chain=forward comment="drop invalid" connection-state=invalid log=yes log-prefix=ipv6,invalid
add action=accept chain=forward comment="accept icmpv6 !kpn" in-interface=!kpn protocol=icmpv6
add action=accept chain=forward comment="accept ipv6_trusted !kpn" in-interface=!kpn src-address-list=ipv6_trusted
add action=drop chain=forward comment="default deny" log-prefix=IPV6
/snmp
set contact=<user> enabled=yes location=Meterkast trap-generators=""
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Amsterdam
/system identity
set name=RouterOS
/system logging
add action=remote topics=info,critical,warning,error
/system ntp client
set enabled=yes
/system ntp client servers
add address=nl.pool.ntp.org
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no