Hello,
i have two CCR1036-8G-2S+ running 6.19 inter connected with 10gbit.
My setup
net-a -> net-b -> net-c
allows me to transfer 9.8Gbit/sec without encryption
If I added an ipsec-tunnel to net-b with a policy for net-a/c i ended up with a max
throughput of ~170mbit/sec.
Where could be key to get more speed with the encryption enabled.
Here the config of the left side
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip ipsec peer
add address=169.254.100.2/32 secret=test
/ip ipsec policy
add dst-address=169.254.102.0/24 sa-dst-address=169.254.100.2 sa-src-address=169.254.100.1 src-address=\
169.254.101.0/24 tunnel=yes
right side:
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip ipsec peer
add address=169.254.100.1/32 secret=test
/ip ipsec policy
add dst-address=169.254.101.0/24 sa-dst-address=169.254.100.1 sa-src-address=169.254.100.2 src-address=\
169.254.102.0/24 tunnel=yes
keep in mind if i disable the policy i get 9.8Gbit throughput
Thx in advance
meno
p.s. i played with the algorithms and there was no reasonable impact in performance terms.
-
-
Duduhandelman
Frequent Visitor
- Posts: 89
- 加入:
再保险:max 150 mbit ipsec ccr性能
I think that hardware encryption is only working on aesand not 3des.
Give it a try
Give it a try
-
-
IntrusDave
Forum Guru
- Posts: 1286
- 加入:
- Location:Rancho Cucamonga, CA
再保险:max 150 mbit ipsec ccr性能
Yes, change to AES-128 or AES-256 with SHA1 or SHA256
You should see a dramatic increase.
You should see a dramatic increase.
再保险:max 150 mbit ipsec ccr性能
I played around with encryption before
and was no significant difference include the none option.
i set the proposal to:
0 * name="default" auth-algorithms=sha1 enc-algorithms=aes-128-cbc lifetime=30m
pfs-group=modp1024
and there is only ~150-200Mbit throughput
So the problem is still there
meno
and was no significant difference include the none option.
i set the proposal to:
0 * name="default" auth-algorithms=sha1 enc-algorithms=aes-128-cbc lifetime=30m
pfs-group=modp1024
and there is only ~150-200Mbit throughput
So the problem is still there
meno
-
-
IntrusDave
Forum Guru
- Posts: 1286
- 加入:
- Location:Rancho Cucamonga, CA
再保险:max 150 mbit ipsec ccr性能
Odd, maybe a hardware defect? My CCR 1016-12G sustains 500mbps quite well.
再保险:max 150 mbit ipsec ccr性能
I just used another pair of CCR-1036-8G-2S+ no difference.
Could be there a problem that i used only the 10GBit interfaces with vlan's
/interface bonding
add lacp-rate=1sec mode=active-backup mtu=9216 name=sw10 slaves=\
te0-sw10-1,te1-sw10-2
/interface vlan
add interface=sw10 mtu=9100 name=v2200-test-interconnect vlan-id=2200
add interface=sw10 mtu=9100 name=v2201-test-left vlan-id=2201
add interface=sw10 mtu=9100 name=v2202-test-right vlan-id=2202
my
net a is vlan2201
net b is vlan2200
net c is vlan2202
this configure is the same of both ccr's
cheers
meno
Could be there a problem that i used only the 10GBit interfaces with vlan's
/interface bonding
add lacp-rate=1sec mode=active-backup mtu=9216 name=sw10 slaves=\
te0-sw10-1,te1-sw10-2
/interface vlan
add interface=sw10 mtu=9100 name=v2200-test-interconnect vlan-id=2200
add interface=sw10 mtu=9100 name=v2201-test-left vlan-id=2201
add interface=sw10 mtu=9100 name=v2202-test-right vlan-id=2202
my
net a is vlan2201
net b is vlan2200
net c is vlan2202
this configure is the same of both ccr's
cheers
meno
再保险:max 150 mbit ipsec ccr性能
I discussed this topic with the MikroTik support but they don't understand for now
that i want to have only one channel which runs with more than 150Mbit.
For me it looks like that a ccr router can only handle 150mbit per ipsec connection or per cpu.
I tried many things but i didn't find any loadbalancing strategie across multiple
ipsec policies.
So this issue is still unsolved, stay tuned
meno
that i want to have only one channel which runs with more than 150Mbit.
For me it looks like that a ccr router can only handle 150mbit per ipsec connection or per cpu.
I tried many things but i didn't find any loadbalancing strategie across multiple
ipsec policies.
So this issue is still unsolved, stay tuned
meno