Community discussions

MikroTik App
 
stimmerman
just joined
Topic Author
Posts: 2
Joined: Fri Mar 17, 2023 9:54 pm

hEX S/RB760iGS IKEv2 RoadWarrior throughput

Fri Mar 17, 2023 10:20 pm

Hi all,

I'm wondering if I have setup my hEX S the right way for maximum IKEv2 IPSEC throughput. I think I'm doing something wrong to achieve the right hardware offload.

This is my situation:
- 1Gbps fiber on vlan6 with PPPoE, I can reach this speed with minimum CPU load for example when using usenet.
- I've configured the IKEv2 VPN for usage on my iPhone and I send all traffic through the tunnel.

Current test result:
- iPhone connected to my WiFi network, using the speedtest.net app without the VPN: 470Mbit down / 464Mbit up.
- iPhone connected to my WiFi network, using the speedtest.net app with the VPN: 85Mbit down / 123Mbit up.

- During the speedtest with the VPN, cpu0 hits 100%, and cpu3 50%.
- The profile tool shows the top process networking: 20.3 and firewall: 13.2.

Can someone help me correct my configuration, or assure me this is to be expected from this little box :)
Thanks in advance!

The installed SA's:
[RouterOS] > /ip/ipsec/installed-sa/print
Flags: S - SEEN-TRAFFIC; H - HW-AEAD; E - ESP
Columns: SPI, STATE, SRC-ADDRESS, DST-ADDRESS, AUTH-ALGORITHM, ENC-ALGORITHM, ENC-KEY-SIZE
#     SPI        STATE   SRC-ADDRESS    DST-ADDRESS    AUTH-ALGORITHM  ENC-ALGORITHM  ENC-KEY-SIZE
0 SHE 0xE4571BE  mature  192.168.5.183  192.168.5.254  sha1            aes-cbc                 128
1 SHE 0x601F063  mature  192.168.5.254  192.168.5.183  sha1            aes-cbc                 128

My full configuration export:
# mar/17/2023 20:42:33 by RouterOS 7.8
# software id = xxxx-xxxx
#
# model = RB760iGS
# serial number = xxxxxx
/interface bridge
add admin-mac=18:FD:74:xx:xx:xx auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] disabled=yes
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=sfp1 ] auto-negotiation=no
/interface vlan
add interface=sfp1 name=sfp1.6 vlan-id=6
/interface pppoe-client
add add-default-route=yes allow=pap,chap disabled=no interface=sfp1.6 max-mru=1500 max-mtu=1500 name=kpn use-peer-dns=yes user=kpn
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec policy group
add name=vpn.<domain>.nl
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256
add dh-group=modp1024 enc-algorithm=aes-128 name=vpn.<domain>.nl
/ip ipsec peer
add exchange-mode=ike2 name=vpn.<domain>.nl passive=yes profile=vpn.<domain>.nl
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 disabled=yes enc-algorithms=aes-256-cbc pfs-group=none
add enc-algorithms=aes-128-cbc name=vpn.<domain>.nl pfs-group=none
/ip pool
add name=default-dhcp ranges=192.168.5.100-192.168.5.200
add name=ikev2-pool ranges=100.64.3.10-100.64.3.20
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/ip ipsec mode-config
add address-pool=ikev2-pool address-prefix-length=32 name=vpn.<domain>.nl split-include=0.0.0.0/0 static-dns=192.168.5.242 system-dns=no
/port
set 0 name=serial0
/ppp profile
set *0 local-address=100.64.3.1 only-one=yes remote-address=ikev2-pool use-compression=yes use-encryption=required use-mpls=no use-upnp=no
/system logging action
set 3 remote=192.168.5.247 src-address=192.168.5.254
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=none
/ipv6 settings
set max-neighbor-entries=8192
/interface l2tp-server server
set default-profile=default use-ipsec=required
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=192.168.5.254/24 interface=bridge network=192.168.5.0
add address=100.64.3.1/24 interface=bridge network=100.64.3.0
/ip cloud
set update-time=no
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.5.0/24 comment=defconf dns-server=192.168.5.242 gateway=192.168.5.254
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=100.64.1.0/24 comment=gns3-management list=remote_ipsec_networks
add address=100.64.2.0/24 comment=gns3-opwekking list=remote_ipsec_networks
add address=172.16.18.0/24 comment=gns3-management list=remote_ipsec_networks
add address=100.64.3.0/24 list=remote_ipsec_networks
/ip firewall filter
add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=fasttrack connection-mark=!ipsec connection-state=established,related hw-offload=yes
add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="accept ipsec-esp" in-interface=kpn protocol=ipsec-esp
add action=accept chain=input comment="accept ipsec-nat-t" dst-port=500,4500,1701 in-interface=kpn protocol=udp
add action=accept chain=input comment="accept ikev2 vpn clients" ipsec-policy=in,ipsec src-address=100.64.3.0/24
add action=drop chain=input comment="drop invalid" connection-state=invalid log=yes log-prefix=input-drop-invalid
add action=drop chain=input comment="drop all !LAN" in-interface-list=!LAN
add action=accept chain=forward comment="accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid log-prefix=ipv4-drop-invalid
add action=drop chain=forward comment="drop all from kpn not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=kpn
/ip firewall nat
add action=masquerade chain=srcnat comment="Masquerade WAN" ipsec-policy=out,none out-interface=kpn
add action=dst-nat chain=dstnat comment="NAS - Email" dst-address=<public_wan_ip> dst-port=25,587,993 in-interface=kpn protocol=tcp to-addresses=192.168.5.252
add action=dst-nat chain=dstnat comment="K3S - Nginx" dst-address=<public_wan_ip> dst-port=80,443 in-interface=kpn protocol=tcp to-addresses=192.168.5.241
add action=dst-nat chain=dstnat comment="K3S - Plex" dst-address=<public_wan_ip> dst-port=32400 in-interface=kpn protocol=tcp to-addresses=192.168.5.244
add action=dst-nat chain=dstnat comment="K3S - Unifi controller" dst-address=<public_wan_ip> dst-port=8080 in-interface=kpn protocol=tcp to-addresses=192.168.5.243
add action=dst-nat chain=dstnat comment="K3S - Unifi STUN" dst-address=<public_wan_ip> dst-port=3478 in-interface=kpn protocol=udp to-addresses=192.168.5.243
/ip ipsec identity
add auth-method=digital-signature certificate=vpn.<domain>.nl comment=<user>@iphone generate-policy=port-strict match-by=certificate mode-config=vpn.<domain>.nl peer=vpn.<domain>.nl \
    policy-template-group=vpn.<domain>.nl remote-certificate=<user>@vpn.<domain>.nl remote-id=user-fqdn:<user>@vpn.<domain>.nl
/ip ipsec policy
set 0 disabled=yes
add comment="IKEv2 vpn.<domain>.nl" dst-address=100.64.3.0/24 group=vpn.<domain>.nl proposal=vpn.<domain>.nl src-address=0.0.0.0/0 template=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.5.0/24
set ssh address=192.168.5.0/24
set api disabled=yes
set winbox disabled=yes
set api-ssl disabled=yes
/ip ssh
set host-key-size=4096 strong-crypto=yes
/ipv6 address
add address=::1 advertise=no from-pool=kpn-ipv6 interface=bridge
add address=::1 from-pool=kpn-ipv6 interface=*B
/ipv6 dhcp-client
add interface=kpn pool-name=kpn-ipv6 request=prefix
/ipv6 firewall address-list
add address=fe80::/16 list=ipv6_trusted
add address=2a02:xxxx:xxxx::/48 list=ipv6_trusted
add address=ff02::/16 comment=multicast list=ipv6_trusted
/ipv6 firewall filter
add action=accept chain=input comment="accept established and related" connection-state=established,related
add action=accept chain=input comment="accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/16
add action=drop chain=input comment="drop link local from internet" in-interface=kpn src-address=fe80::/16
add action=accept chain=input comment="accept ipv6_trusted" src-address-list=ipv6_trusted
add action=drop chain=input comment="default deny"
add action=accept chain=forward comment="accept established and related" connection-state=established,related
add action=drop chain=forward comment="drop invalid" connection-state=invalid log=yes log-prefix=ipv6,invalid
add action=accept chain=forward comment="accept icmpv6 !kpn" in-interface=!kpn protocol=icmpv6
add action=accept chain=forward comment="accept ipv6_trusted !kpn" in-interface=!kpn src-address-list=ipv6_trusted
add action=drop chain=forward comment="default deny" log-prefix=IPV6
/snmp
set contact=<user> enabled=yes location=Meterkast trap-generators=""
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Amsterdam
/system identity
set name=RouterOS
/system logging
add action=remote topics=info,critical,warning,error
/system ntp client
set enabled=yes
/system ntp client servers
add address=nl.pool.ntp.org
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
 
stimmerman
just joined
Topic Author
Posts: 2
Joined: Fri Mar 17, 2023 9:54 pm

Re: hEX S/RB760iGS IKEv2 RoadWarrior throughput

Fri Mar 24, 2023 11:39 am

Anyone have a clue?
 
User avatar
woland
Member Candidate
Member Candidate
Posts: 258
Joined: Mon Aug 16, 2021 4:49 pm

Re: hEX S/RB760iGS IKEv2 RoadWarrior throughput

Fri Mar 24, 2023 2:06 pm

Look at the IPSec results:
https://mikrotik.com/product/hex_s#fndtn-testresults

You are also doing some filtering and you on the box, so I think this is what you can get out of a HEXs.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: hEX S/RB760iGS IKEv2 RoadWarrior throughput

Fri Mar 24, 2023 2:27 pm

Wireguard is probably faster.
 
massinia
Member Candidate
Member Candidate
Posts: 159
Joined: Thu Jun 09, 2022 7:20 pm

Re: hEX S/RB760iGS IKEv2 RoadWarrior throughput

Fri Mar 24, 2023 2:42 pm

Wireguard is probably faster.
With hEX, so same SoC, and WG I get around 150 Mbps... default firewall rules and no other changes.

Surely ikev2 configuration is not using IPSec hardware acceleration.
 
User avatar
woland
Member Candidate
Member Candidate
Posts: 258
Joined: Mon Aug 16, 2021 4:49 pm

Re: hEX S/RB760iGS IKEv2 RoadWarrior throughput

Fri Mar 24, 2023 3:07 pm

Surely ikev2 configuration is not using IPSec hardware acceleration.
I don´t think that´s right, as IKEv2 is just used for the key exchange. So only the asymmetric part could be affected, but there is no acceleration for that anyway.
For AES CBC 256 there is HW acceleration regardless if IKEv1 or IKEv2 is used.

OP reaches over 200Mbit/s (IN+OUT) which is not far from the given values on the MT page, considering the published results were done with minimum config, optimal test environment and on ROS6.

https://help.mikrotik.com/docs/display/ ... celeration

Who is online

Users browsing this forum: phascogale and 64 guests