1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Slow VPN Connection, need optimization

Discussion in 'Networking' started by KKLC, Jul 10, 2018.

Thread Status:
Not open for further replies.
Advertisement
  1. KKLC

    KKLC Thread Starter

    Joined:
    Nov 16, 2008
    Messages:
    233
    I built a ipsec site to site VPN between two sites using Mikrotik routers at both sites. VPN Connection is fine; however, the speed over the VPN is not great. When I copied a file (ex. 500mb) from Site 2 to Site 1, i got speed of 1.0 ~ 1.5 mbps only. I understand that this might be due to the slow upload from TWC cable. However, when i copied the same from site 1 to site 2, which have much higher upload, it's still about the same speed.

    I had tried to lower the encryption to sha1 and aes-128 already, but it doesn't improve much. Does anyone have any clue ? Thanks.


    Router: Mikrotik RB750Gr3
    Site 1 uses Verizon FIOS (100 down/100 up)
    Site 2 uses TWC (100 down/15 up)
     
  2. zx10guy

    zx10guy Trusted Advisor Spam Fighter

    Joined:
    Mar 30, 2008
    Messages:
    6,300
    Two things. One is your Mikrotiks just don't have the processing power to deal with the encryption. This is a reality and when you look at routers/firewalls sold by the usual enterprise manufacturers like Cisco, you'll see they will put up the spec of what the throughput speed is under different VPN encryption algorithms. When I was using a Netgear FVS318v1 router, my speed through the router when running 3DES encryption was only about 1Mbps. I got better speeds when I upgraded the FVS318 to a FVS338. With that setup, I was able to get 50Mbps and if I remember correctly, AES 256 was now an option.

    The other issue could be network performance degraded due to frame fragmentation. This is pretty common and requires some tuning when VPNs are used. VPNs add overhead to the frame traffic being sent where the default of 1500 bytes for the payload will not fit in the layer 2 frame being pushed out from the router/firewall. As such the 1500 byte payload has to be split into two frames and then reassembled on the other end. This process takes time and slows performance. This is also why the common recommendation for people on DSL service to set their routers to run an MTU of 1492 to account for the additional DSL overhead. Here's an old Netgear article that shows you how to set your MTU for optimal operation:

    https://kb.netgear.com/19863/Ping-Test-to-determine-Optimal-MTU-Size-on-Router

    But with your contracted service speeds, I doubt MTU mismatch is causing such a drastic drop in performance and would put my hat on your Mikrotiks not having the processing horsepower to deal with the VPN encryption overhead.
     
    Brainstorm4 likes this.
  3. KKLC

    KKLC Thread Starter

    Joined:
    Nov 16, 2008
    Messages:
    233
    zx10guy, thanks for the advise. Mikrotik should have enough horsepower for vpn throughput. its specs show that it can get max out to >500mbps over IPsec, of course it would be on a gig link for that.

    hmmm... you are right, MTU might be it. it's currently on default 1500. It's not using GRE, so i am not sure which interface to apply it on. WAN port? I am concerning that change it might take down my access to the remote router and their internet there, if that change is not correct.
     
  4. zx10guy

    zx10guy Trusted Advisor Spam Fighter

    Joined:
    Mar 30, 2008
    Messages:
    6,300
    I'll have to look at the specs of the Mikrotik. I do find many manufacturers embellish their numbers.

    You would apply it on the WAN port. I don't expect there to be a total disconnection and even if there was, the VPN tunnel should come right back up if the keep alives are set correctly. The alternative is to have someone on standby there when you make the change or configure remote access to the router only till you're sure everything is working properly. Then remove the remote access.
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1212687

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice