Community discussions

MUM Europe 2020
 
reallyfastnet
just joined
Topic Author
Posts: 6
Joined: Fri Mar 28, 2014 2:54 am

High Speed VPN - 100Mbps +

Fri Mar 28, 2014 3:10 am

I have been trying to setup a high speed vpn on CCR1016's.

So far I notice that SSTP is only able to pass just over 40Mb/s in SSTP.

Does anyone know the highest performance VPN method in Mikrotik?

After looking around the web I wish Mikrotik supported
http://www.softether.org/ - it can go over 900Mbps :-) in VPN and its open source.
 
Majklik
newbie
Posts: 35
Joined: Fri Dec 23, 2011 10:20 pm

Re: High Speed VPN - 100Mbps +

Fri Mar 28, 2014 12:29 pm

Try look on the IPsec. We have many 100 Mbps GRE/IPsec tunnels between RB1100AH/AHx2 routers without problems. They are limited with 100 Mbps Ethernet paths (if I remember the GRE/IPsec tunnel between two RB1100AHx2 runs around 250 Mbps on the 1 Gbps network with AES256/SHA1 proposal).
There is hardware encryption support for IPsec on the CCR routers:
What's new in 6.8 (2014-Jan-29 15:52):

...
*) ipsec - enable hardware acceleration for aes-cbc + md5|sha1|sha256 aead on CCR;
...
You do not have the required permissions to view the files attached to this post.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5961
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: High Speed VPN - 100Mbps +

Fri Mar 28, 2014 12:48 pm

SSTP can do more than 40Mbps especially on CCR.
Also ipsec on CCR can encrypt/decrypt up to 1.3Gbps on a single tunnel.
 
reallyfastnet
just joined
Topic Author
Posts: 6
Joined: Fri Mar 28, 2014 2:54 am

Re: High Speed VPN - 100Mbps +

Fri Mar 28, 2014 5:57 pm

We have a 100mbps connection to the internet.
We are using a CCR1016.
We did a bandwidth test with TCP across the current SSTP tunnel and can only achieve about 40Mbps.

We are going to be having our remote office connect over this link and access internet through the tunnel.

Do you recommend upgrading to 6.8 and using GRE/Ipsec with hardware encryption for the best speeds?

Thanks,

Robert
 
i4jordan
Frequent Visitor
Frequent Visitor
Posts: 76
Joined: Mon Sep 02, 2013 1:42 am

Re: High Speed VPN - 100Mbps +

Fri Mar 28, 2014 6:46 pm

@mrz

Wat is the maximum speed the RB1100AHx2 can do with ipsec?
And also at what Encr. Algorithms do we get the best speed? Is it AES-cbc 128 or maybe AES-gcm 256 or ...?

We are using a lot of ipsec tunnels connected from CCR1036 to RB100AHx2 and we'd like to optimize the ipsec speed.
Thank you in advance.
 
User avatar
TrollMan
Member Candidate
Member Candidate
Posts: 168
Joined: Mon Apr 04, 2011 9:25 pm

Re: Sv: High Speed VPN - 100Mbps +

Fri Mar 28, 2014 7:14 pm

How have you tested the performance?
 
reallyfastnet
just joined
Topic Author
Posts: 6
Joined: Fri Mar 28, 2014 2:54 am

Re: High Speed VPN - 100Mbps +

Sat Mar 29, 2014 1:02 am

What are the max speeds on EOIP?
 
reallyfastnet
just joined
Topic Author
Posts: 6
Joined: Fri Mar 28, 2014 2:54 am

Re: High Speed VPN - 100Mbps +

Mon Mar 31, 2014 12:35 am

SSTP can do more than 40Mbps especially on CCR.
Also ipsec on CCR can encrypt/decrypt up to 1.3Gbps on a single tunnel.

What is the Proper setup on CCR for a GRE tunnel with IPSEC to acheive these speeds?
We just setup this and do not see anywhere near the speeds.
 
roadracer96
Forum Veteran
Forum Veteran
Posts: 714
Joined: Tue Aug 25, 2009 12:01 am

Re: High Speed VPN - 100Mbps +

Wed May 28, 2014 12:31 am

SSTP can do more than 40Mbps especially on CCR.
Also ipsec on CCR can encrypt/decrypt up to 1.3Gbps on a single tunnel.

Yeah right. Not in any of my testing with sstp, openvpn, gre/IPSec, l2tp/IPSec. Support told me that's the way it is and don't expect it to get better. Rb1100ahx2 outperforms ccr 1036 by a factor of 10.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5961
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: High Speed VPN - 100Mbps +

Wed May 28, 2014 11:34 am

On CCR1036 gre over ipsec can push 800Mbps full duplex.

Setup:
TG1---- CCR1----(ipsec/gre)---CCR2----TG2

CCR1 and CCR2 routers are CCR1036 running gre over ipsec (aes128 cbc)
TG1 and TG2 -- two CCR1009 routers runnning traffic genearator.

The same test on CCR1009 was a bit slower 400Mbps full duplex.


GCM is not hardware encrypted, so in this case you can get max 80Mbps gre/ipsec traffic on CCR1009.

Also if you push too much traffic to crypto driver it will significantly decrease performance because of OOO packets.
 
roadracer96
Forum Veteran
Forum Veteran
Posts: 714
Joined: Tue Aug 25, 2009 12:01 am

Re: High Speed VPN - 100Mbps +

Wed May 28, 2014 4:41 pm

Support only got 190mbit from router to router (IE: Not forwarding). I, (And others on the forum) don't see near that performance. I can only get about 20-25mbit full duplex between a CCR1036 and RB1100AHx2 using IPERF TCP, single connection with a 1400MTU GRE tunnel, a few mangle rules and a few queues in queue tree. Connnection tracking off. Same setup replacing the CCR with an RB1100AHx2 nets me 200+Mbit full duplex. If I remove the queues and mangle rules, I get up to around 50mbit full duplex.

If I disable the IPSEC policy on both ends, I get about 400mbit full duplex.

If I don't use GRE and use IPSEC in tunnel mode, I get nearly 400mbit full duplex. But, I can't do this as I need to run PIM, OSPF, and MPLS.

If I run the test using bandwidth test from router to router, I get about 230mbit 1 way (With no mangle or queues) using default 20 connections. If I source the bandwidth test from another CCR on the other side of the CCR doing the encryption, it drops to about 150mbit 1 way.

If I run the test using bandwidth test with 1 TCP connection from router to router, I only get about 100mbit. If I source the bandwidth test from another CCR on the other side of the CCR doing the encryption, it drops to about 50mbit.

So.. In summary. The CCR can only forward a single TCP connection over GRE with ipsec encryption at about 50mbit aggregate throughput. The CCR performance seems to suffer GREATLY when forwarding traffic arriving through an IPSEC encrypted GRE tunnel. Performance is reasonable when not FORWARDING across the routers, but that doesn't really do anyone any good.

Performance seems to drop another 30%+ if you use the queue tree and mangle rules, or even simple queues.

****Show me a functional lab of setup of 2 PCs data being routed through a RB1100AHx2 and a CCR 1036 over a GRE/IPSEC tunnel that runs 800mbit on a single TCP stream. Heck, even multiple TCP streams.****

EDIT: I was using AES128-CBC.

How much do tagged vlans impact the performance of the CCR?
 
onnoossendrijver
Member
Member
Posts: 418
Joined: Mon Jul 14, 2008 11:10 am
Location: The Netherlands

Re: High Speed VPN - 100Mbps +

Wed May 28, 2014 5:16 pm

GCM is not hardware encrypted, so in this case you can get max 80Mbps gre/ipsec traffic on CCR1009.
Will GCM be hardware-encrypted in future software?
Linux/network engineer: ITIL, LPI1, CCNA R+S, CCNP R+S, JNCIA, JNCIS-SEC
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5961
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: High Speed VPN - 100Mbps +

Wed May 28, 2014 5:23 pm

Not true.

Support provided figure was rough estimate by running bw test on the same router just to show that it is possible to get more that you are saying.


The same setup instead of stateless traffic generator, bw test with single tcp connection

[admin@Board_15 /ip address> /tool bandwidth-test 172.16.0.2 protocol=tcp tcp-conn
ection-count=1
status: running
duration: 20s
rx-current: 229.8Mbps


And this is because on tester router core on which BW test is running is maxed out, not because DUT cannot handle more.

Increase connection count to 60

[admin@Board_151] /ip address> /tool bandwidth-test 172.16.0.2 protocol=tcp tcp-co
nnection-count=60
status: running
duration: 23s
rx-current: 344.3Mbps
rx-10-second-average: 353.3Mbps
rx-total-average: 365.8Mbps
random-data: no
direction: receive


Again in this test gre/ipsec tunnel is between two CCR1036.
 
roadracer96
Forum Veteran
Forum Veteran
Posts: 714
Joined: Tue Aug 25, 2009 12:01 am

Re: High Speed VPN - 100Mbps +

Wed May 28, 2014 5:45 pm

You said 800mbit, not 229mbit or 353mbit.

PS: You said 800mbit full duplex... I see 229mbit/353mbit 1/2 duplex. I bet if you did them both ways at the same time, the results would be approximately 1/2.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5961
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: High Speed VPN - 100Mbps +

Wed May 28, 2014 6:39 pm

read again .. 800Mbps full duplex is with traffic generator not TCP.

TCP will be always slower.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5961
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: High Speed VPN - 100Mbps +

Wed May 28, 2014 6:40 pm

GCM is not hardware encrypted, so in this case you can get max 80Mbps gre/ipsec traffic on CCR1009.
Will GCM be hardware-encrypted in future software?
Currently no.
 
roadracer96
Forum Veteran
Forum Veteran
Posts: 714
Joined: Tue Aug 25, 2009 12:01 am

Re: High Speed VPN - 100Mbps +

Wed May 28, 2014 10:01 pm

I just did a UDP test with 10 streams.. I got 800mbit.. with 20% packet loss..

Transmit only.
 
alexjhart
Member Candidate
Member Candidate
Posts: 193
Joined: Thu Jan 20, 2011 8:03 pm

Re: High Speed VPN - 100Mbps +

Thu Dec 17, 2015 3:00 am

I just did a UDP test with 10 streams.. I got 800mbit.. with 20% packet loss..

Transmit only.
Yeah, same here :( Sometimes the packet loss is even worse (like 80-95%) depending on test parameters. All of which are virtually zero without encryption enabled.
-----
Alex Hart

The Brothers WISP
 
mikruser
Member
Member
Posts: 408
Joined: Wed Jan 16, 2013 6:28 pm

Re: High Speed VPN - 100Mbps +

Thu Dec 17, 2015 10:29 am

GCM is not hardware encrypted, so in this case you can get max 80Mbps gre/ipsec traffic on CCR1009.
Will GCM be hardware-encrypted in future software?
Currently no.
Why?
do not ask me why it is necessary.
 
pe1chl
Forum Guru
Forum Guru
Posts: 6174
Joined: Mon Jun 08, 2015 12:09 pm

Re: High Speed VPN - 100Mbps +

Thu Dec 17, 2015 11:36 am

I'm suprised to read the claimed IPsec VPN rates achievable on the RB2011UiAS-2HnD...
Is it maybe only achievable in some specific configurations that happen to be hardware-accelerated?

When I configure a GRE tunnel with IPsec (by setting the IPsec secret in the GRE tunnel config) on my RB2011UiAS-2HnD
I get 100% CPU usage at about 20 Mbit/s outgoing traffic.
This is on a PPPoE internet connection, probably that matters too.

The default config generated from that tunnel setup uses ESP, 3des or aes-128, and sha1.
In this setup the peers agree to use aes-cbc.
I created my own IPsec profile and peer that uses AH instead, and it performs much better.

Is aes hardware accelerated on the RB2011UiAS-2HnD?
Is this kind of performance typical or have I likely made some error that severely affects performance?
Yesterday I made a feature request to offer an ESP/AH selection option in that "easy IPsec" setup within the
tunnel interfaces so it is easier to optimize, but when 200Mbit+ performance with ESP is achievable that is
not required.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5961
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: High Speed VPN - 100Mbps +

Thu Dec 17, 2015 11:45 am

Where do you see in this topic mentioning RB2011? This board has slow mips CPU and 20Mbps Ipsec traffic is typical throughput that you can get.

HW acceleration is supported on boards listed in the manual
http://wiki.mikrotik.com/wiki/Manual:IP ... encryption
 
pe1chl
Forum Guru
Forum Guru
Posts: 6174
Joined: Mon Jun 08, 2015 12:09 pm

Re: High Speed VPN - 100Mbps +

Thu Dec 17, 2015 8:27 pm

Where do you see in this topic mentioning RB2011?
In the article from Majklik at the top of the page. Ok, I now see that RB2011AH is quite a different thing.
Confusing those MikroTik type numbers...

Anyway, with AH only it works much better. In many circumstances where one is not really worrying about eavesdroppers
AH is perfectly fine to get secure tunnels without insertion of traffic by hackers.
 
mikruser
Member
Member
Posts: 408
Joined: Wed Jan 16, 2013 6:28 pm

Re: High Speed VPN - 100Mbps +

Fri Dec 18, 2015 11:04 am

HW acceleration is supported on boards listed in the manual
http://wiki.mikrotik.com/wiki/Manual:IP ... encryption
Your link does not contain RB3011.
RB3011 do not have HW encryption???
do not ask me why it is necessary.
 
troffasky
Member
Member
Posts: 401
Joined: Wed Mar 26, 2014 4:37 pm

Re: High Speed VPN - 100Mbps +

Fri Dec 18, 2015 11:15 pm

Publicly available material about RB3011 CPU says it has crypto acceleration. Either public info is wrong or Mikrotik have chosen not to implement it at this point. You have to assume Mikrotik would implement it if they were able to.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5961
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: High Speed VPN - 100Mbps +

Mon Dec 21, 2015 2:03 pm

RouterOS v6 does not have driver to support HW acceleration of RB3011. Most likely ROS v7 will have it.
 
mikruser
Member
Member
Posts: 408
Joined: Wed Jan 16, 2013 6:28 pm

Re: High Speed VPN - 100Mbps +

Mon Dec 21, 2015 5:38 pm

RouterOS v6 does not have driver to support HW acceleration of RB3011. Most likely ROS v7 will have it.
Do you have info about ROS v7 release date? (+-month)
do not ask me why it is necessary.

Who is online

Users browsing this forum: eworm, jebz, jindranix and 91 guests