Strong loading of Mikrotik at l2tp/ipsec?

V

vladme0782015-10-22 14:34:09

Mikrotik

vladme078, 2015-10-22 14:34:09

Good afternoon!
I have mikrotik CRS125-24G-1S-2HnD-IN. Raised l2tp/ipsec on it. ISP speed 30Mbps.
When a client connects, the speed does not rise above 10Mbps, the processor is 100% loaded.
Raised PPTP for the experiment - everything is fine there. Mikrotik gives all the speed and loading 25-28%.
Can someone explain why that is?

/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des,aes-256-cbc
set h323 disabled=yes
/ip ipsec peer
add address=0.0.0.0/0 enc-algorithm=3des,aes-128,aes-192,aes-256 exchange-mode=main-l2tp generate-policy=port-override local-address=0.0.0.0 passive=yes secret=password
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0

Reply

Answer the question

In order to leave comments, you need to log in

6 answer(s)

S

Sergey SA, 2015-10-23
@resetsa

And what is not clear? the processor is dead, does not have time to encrypt anymore

B

bukass, 2015-10-22
@bukass

tools/profile what does it show? What is loading?

V

vladme078, 2015-10-22
@vladme078

encrypting 68%.
firewall 8%
l2tp 7%
networking 4%

S

shaytan, 2015-10-29
@shaytan

That's right, the processor is weak for strong encryption. Try to use only AES, in my experiments it turned out faster than 3DES.

V

Vitaly Bogryashov, 2015-12-10
@vitalybogryashov

Of course, the problem is the complexity of encryption. You can try just by password, without a certificate and check the speed. The result is to choose what is more important - security, or speed. Or change the hardware.

M

Maxim_Q, 2019-02-10
@Maxim_Q

enc-algorithms=3des,aes-256-cbc

Encryption algorithms are bad:
3des - vulnerable and low speed
aes-256-cbc - heavily loads percent and low data transfer rate
aes-128-cbc - use only it, it has the highest speed, turn off other modes.
configure authorization by certificates, not by password. Only a certificate protects against a MITM attack