IKEv2 VPN Unusably Slow on MikroTik

Posted on by

IKEv2 is a tunnelling protocol within the IPSec protocol suite.

The Problem

Using MikroTik L009UiGS-2HaxD, it is possible to establish an IKEv2 secured tunnel to VPN servers using EAP authentication. The problem is that network speed becomes extremely slow.

Speed test without the VPN on a Cat5e wired device:

$ speedtest-cli
Retrieving speedtest.net configuration...
Testing from ISP (redacted)...
Retrieving speedtest.net server list...
Selecting best server based on ping...
Hosted by Swish Fibre (London) [137.28 km]: 34.456 ms
Testing download speed...........................
Download: 338.45 Mbit/s
Testing upload speed...........................
Upload: 37.54 Mbit/s

Speed test with IKEv2 VPN on the same Cat5e wired device:

$ speedtest-cli
Retrieving speedtest.net configuration...
Testing from Hydra Communications (redacted)...
Retrieving speedtest.net server list...
Selecting best server based on ping...
Hosted by Swish Fibre (London) [1.30 km]: 673.6 ms
Testing download speed...........................
Download: 7.56 Mbit/s
Testing upload speed...........................
Upload: 0.39 Mbit/s

The Workaround

Disable the fasttrack firewall rule. Change the rule number to match that of your MikroTik.

/ip firewall filter disable numbers=20

Update IPSec policy to add a rule action=none for LAN.

/ip ipsec policy
add action=none dst-address=10.11.1.0/24 src-address=0.0.0.0/0 place-before=1 disabled=no

Replace dst-address=10.11.1.0/24 with your own local network address range. The policy for action=none should be below the default but above any added IKEv2 policy lines. See example below.

/ip ipsec policy print 
Flags: T - TEMPLATE; D - DYNAMIC, A - ACTIVE; * - DEFAULT
Columns: PEER, TUNNEL, SRC-ADDRESS, DST-ADDRESS, PROTOCOL, ACTION, LEVEL, PH2-COUNT
#     PEER     TUNNEL  SRC-ADDRESS   DST-ADDRESS   PROTOCOL  ACTION   LEVEL   PH2-COUNT
0 T *                  ::/0          ::/0          all                                 
1                      0.0.0.0/0     10.11.1.0/24  all       none                      
2 T                    0.0.0.0/0     0.0.0.0/0     all                                 
3  D      VPN  yes     10.6.0.14/32  0.0.0.0/0     all       encrypt  unique          1

Network speed should be much better now.

$ speedtest-cli
Retrieving speedtest.net configuration...
Testing from Hydra Communications (redacted)...
Retrieving speedtest.net server list...
Selecting best server based on ping...
Hosted by HighSpeed Office Limited (London) [1.30 km]: 32.222 ms
Testing download speed...........................
Download: 54.83 Mbit/s
Testing upload speed...........................
Upload: 35.47 Mbit/s

References

https://forum.mikrotik.com/viewtopic.php?t=154449

Leave a Reply

Your email address will not be published. Required fields are marked *