Hello,
I did some very simple tests between my edgerouter lite and a mikrotik x86 server on the other side. My edgerouter lite has a 500/500 fiber link. Mikrotik is gigabit connection. I have IPSEC->GRE with OSPF dynamic routing.
Mikrotik is always ~1% CPU.
Only configuration change was offload ipsec enable/disable.
offload enabled(ran twice):
[ 4] 0.0-10.5 sec 6.50 MBytes 5.21 Mbits/sec [ 4] 0.0-10.4 sec 5.88 MBytes 4.73 Mbits/sec
offload disabled(ran also twice):
[ 4] 0.0-10.9 sec 15.0 MBytes 11.5 Mbits/sec [ 4] 0.0-10.4 sec 14.8 MBytes 11.9 Mbits/sec
With offload enabled I have 40% less performance, any idea why? I was hoping at least 50Mbits/sec. I still have 10 days to return it, if I'm unable to make it faster, I'll return and get a mikrotik CCR on my end.
My related configuration is below(with ipsec disable).
ubnt@erl01:~$ show version
Version: v1.8.5
Build ID: 4884695
Build on: 06/08/16 10:57
Copyright: 2012-2016 Ubiquiti Networks, Inc.
HW model: EdgeRouter Lite 3-Port
HW S/N: (NOT_NEEDED)
Uptime: 16:18:30 up 27 days, 20:56, 1 user, load average: 0.54, 0.20, 0.16
# show system offload
hwnat disable
ipsec disable
ipv4 {
forwarding enable
gre enable
pppoe enable
vlan enable
}
ipv6 {
forwarding enable
pppoe enable
}
ubnt@erl01# show vpn ipsec auto-firewall-nat-exclude enable esp-group ESP-AES128-SHA1-DH2-TRANSPORT { compression disable lifetime 3600 mode transport pfs dh-group2 proposal 1 { encryption aes128 hash sha1 } } ike-group IKE-AES128-SHA1-DH2 { dead-peer-detection { action hold interval 120 timeout 120 } ikev2-reauth no key-exchange ikev1 lifetime 86400 proposal 1 { dh-group 2 encryption aes128 hash sha1 } } ipsec-interfaces { interface pppoe0 } site-to-site { peer MY.REMOTE.IP { authentication { mode pre-shared-secret pre-shared-secret MY.SHARED.KEY } connection-type initiate default-esp-group ESP-AES128-SHA1-DH2-TRANSPORT ike-group IKE-AES128-SHA1-DH2 ikev2-reauth inherit local-address MY.LOCAL.IP tunnel 0 { allow-nat-networks disable allow-public-networks disable protocol all } } }
