Mikrotik IPSec Performance Study

Sample network is implemented with similar devices and the Internet connection simulated via Lan connectivity. Two end hosts provide the transfer and reviver functionality.

Network Setup.

The test environment designed as explained in the diagram 1.0.

Test Setup Figure 1.0

End Host Configuration- Table 1.0

End Point 1

End point 2

Microsoft windows XP Professional SP3

CPU count 2

1.87 GB RAM 3.00GHz

100Mbps Realtek RTL8139/810x Family Fast Ethernet NIC

Microsoft windows XP Professional SP3

CPU count 1

1.47GB RAM 3.06GHz

100Mbps Realtek RTL8139 Family PCI Fast Ethernet NIC


Router Configuration - Table 1.1

Router 1

Speed

264 MHz

264 MHz

Memory

30MB RAM

30MB RAM

HD

128 MB

64 MB

RouterOS 3.30

RouterOS 3.20

Workload:

Hashing algorithm parameter is fixed to SHA and changed the encryption algorithm. Default CPU load without the traffic is stays around 2% from both routers. Traffic generated through iperf for the sample traffic.

Protocol

Cipher

Packet Size

Hash

Maximum Bandwidth Trial 1

TX Kbits/

RX Kbits

Maximum Bandwidth Trial 2

TX Kbits/

RX Kbits

Maximum Bandwidth Trial 3

TX Kbits/

RX Kbits

Maximum Bandwidth Trial 4

TX Kbits/

RX Kbits

AVG

TX Kbits/

RX Kbits

1.

TCP*

--

64

--

5.70/5.37

5.32/5.54

5.17/5.37

5.43/5.67

5.405/5.487

2.

TCP

DES

64

SHA

616/598

809/784

611/626

801/790

709/700

3.

TCP

3DES

64

SHA

616/ 594

601/537

802/769

638/614

664/628

4.

TCP

AES-128

64

SHA

795/868

615/639

788/806

821/807

755/780

5.

TCP

AES-192

64

SHA

613/628

803/769

602/627

768/816

697/710

6.

TCP

AES-256

64

SHA

541/577

784/753

632/645

778/826

684/700

7.

TCP*

--

96

--

6.15/5.97

6.02/ 6.21

6.03/6.29

6.29/6.55

6.122/6.225

8.

TCP

DES

96

SHA

724/716

839/771

716/724

813/ 775

773/747

9.

TCP

3DES

96

SHA

837/771

740/729

829/788

826/788

808/769

10.

TCP

AES-128

96

SHA

846/ 795

730/743

754/737

800/ 870

782/786

11.

TCP

AES-192

96

SHA

856/803

716/712

798/855

721/723

773/773

12.

TCP

AES-256

96

SHA

738/725

853/789

742/729

782/843

779/771

13.

TCP*

--

1536

--

10.4/8.43

8.85/9.90

8.37/10.4

9.06/9.71

9.17/9.61

14.

TCP

DES

1536

SHA

863/867

860/873

861/867

836/895

855/875

15.

TCP

3DES

1536

SHA

954/817

875/881

881/885

876/881

904/866

16.

TCP

AES-128

1536

SHA

894/ 898

898/909

897/901

828/968

879/919

17.

TCP

AES-192

1536

SHA

822/962

883/894

888/894

885/889

869/910

18.

TCP

AES-256

1536

SHA

883/889

821/955

876/888

879/882

865/903

* Bandwidth measured in Mbps.

Comments

Anonymous said…
hi Emanual

it's a very good article. keep up the good works

jana
September 20, 2010 at 2:40 PM
Post a Comment

Popular posts from this blog

PPTP Server as Cisco for Mikrotik Client

Image
Following configuration explains the Cisco as PPTP server and connecting two sites: Following Configuration needed to enable the VPDN and default server: vpdn enable ! vpdn-group Mtik ! Default PPTP VPDN group accept-dialin protocol pptp virtual-template 1 interface Virtual-Template1 ip unnumbered Loopback0 peer default ip address pool IPPOOL1 ppp encrypt mppe auto required ppp authentication ms-chap-v2 ms-chap pap ip local pool IPPOOL1 192.168.150.10 192.168.150.224 Few more additional things we need to keep the same ip address for the user: aaa new-model ! ! aaa authentication ppp default local aaa authorization network default local ! aaa attribute list Gobi attribute type addr 192.168.150.13 service ppp protocol ip mandatory attribute type route "10.0.0.0 255.255.255.0 192.168.150.13" attribute type interface-config "description Gobi-test" Finally apply the attribute list to the user: username gobi password 0 test username gobi aaa attri...
Read more

l2tpv3 configuration reference

Image
Reference Comparing , Designing and Deploying VPNs chap - 02 : L2TPv3 is the enhanced version of L2TPv2 protocol. Mikrotik uses L2TPv2 i suppose but it offer another similar tunneling mechanism as EOIP. L2TPv3 in cisco provides Pseudo-wire services to the customer. L2TPv3 only require the IP connectivity between peers but it can transport Ethernet, 802.1Q , HDLC, PPP framerelay etc. Advantage over MPLS is the customer having the full control of their routing domain. L2TP depolyment methods having 3 topologies LAC - LNS , LNS - LNS , LAC - LAC Following Diagram explain simple LAC - LAC L2TPv3 setup. It uses two types of messages: control connection messages - used for signaling between LCEs session data messages - Used to transport layer 2 protocols and connections Data channel Message Header having Session ID & cookie to correctly associate with the tunnel Deploying dynamic Pseudowires session 1) configure CEF - Its default in IOSs now. 2) configure a loopback in...
Read more

proxy arp

Image
In the above diagram , both hosts don't have default routes. But both are in the same /16 subnet. When host1 tries to ping host2 will it be able to ping ? Yes this behaviour due to the Proxy Arp feature. Note: Cisco by default enabled the proxy arp feature you have to disable it manually . Check the following Debug messages "debug arp" from the router. When the Arp request for 192.168.20.101 received on the router Fa0/1 it replies with its own mac address of fa0/1. (c200.03fc.0001)and vice versa *Mar 1 00:11:43.071: IP ARP: rcvd req src 192.168.12.154 00aa.00f4.6800, dst 192.168.20.101 FastEthernet0/1 *Mar 1 00:11:43.075: IP ARP: sent rep src 192.168.20.101 c200.03fc.0001,dst 192.168.12.154 00aa.00f4.6800 FastEthernet0/1 *Mar 1 00:13:13.067: IP ARP: rcvd req src 192.168.20.101 00aa.0041.1d00, dst 192.168.12.154 FastEthernet0/0 *Mar 1 00:13:13.067: IP ARP: sent rep src 192.168.12.154 c200.03fc.0000, dst 192.168.20.101 00aa.0041.1d00 FastEther...
Read more