Community discussions

MikroTik App
 
abbio90
Member Candidate
Member Candidate
Topic Author
Posts: 163
Joined: Fri Aug 27, 2021 9:16 pm
Contact:

IPSEC slow - resize MTU??

Wed May 17, 2023 12:27 am

Hello everyone .... I have an ipsec ikev1 peer towards an external company. They complained that the tunnel is slow.
I disabled Fast-Track as, it seems that I don't like it at Ipsec.
Also, I did some pings without fragmenting the package, it is noticed that it goes maximum of a 1438 package without fragmentation ... how can I set the MTU 1438 for IPSEC?
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: IPSEC slow - resize MTU??

Sun May 21, 2023 8:13 pm

With bare IPsec (i.e. no L2TP/IPsec or another kind of tunnel whose transport packets are ciphered using IPsec), there is no interface to set MTU at, but on a simple site-to-site IPsec link, PMTUD should work fine unless a firewall at one of the ends of the tunnel is misconfigured and blocks ICMP "fragmentation needed" messages. If you do not experience failing connections via the tunnel, it means that PMTUD works fine and you don't need to care about the MTU.

Regarding speed, the IPsec payload traffic must indeed be exempted from fasttracking as one of packet processing steps that most (not all) fasttracked packets bypass is the IPsec policy matching. Since disabling fasttracking completely hasn't helped to reach the desired speed, there must be some other limitation. Not all Mikrotik routers support IPsec encryption and decryption in hardware, and even those that do only support a particular set of algorithms (details here). So what is your uplink bandwidth for upload and download, what is your Mikrotik model, and what is the speed through the IPsec link?
 
abbio90
Member Candidate
Member Candidate
Topic Author
Posts: 163
Joined: Fri Aug 27, 2021 9:16 pm
Contact:

Re: IPSEC slow - resize MTU??

Mon May 22, 2023 9:42 am

thanks for the reply..I solved it by disabling fast track.
the hardware is a rb3011.
but if I want to mark the ipsec connection how do I do it? I have made several unsuccessful attempts
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: IPSEC slow - resize MTU??

Mon May 22, 2023 10:06 am

It depends on what you want to mark - the payload traffic or the transport traffic? There is a match condifion ipsec-policy=(in|out),(ipsec|none) that matches on a packet that matches (or doesn't match if none) to an existing traffic selector in a particular direction, but if you want to mark a payload packet that will be sent via a particular SA, you need to match on src and/or dst address as well.

If you need to mark a payload packet and use the mark when handling a transport packet, you must set the DSCP field of the transport packet instead - it is copied into the DSCP field of the transport packet, and you can then set a packet mark for the transport packet based on the DSCP value. The transport packet does not inherit the packet mark from the payload one it transports, nor vice versa for received transport packets.

Who is online

Users browsing this forum: Ahrefs [Bot], Bing [Bot], BrianTax, own3r1138, rplant, st3lios and 64 guests