Tuesday, November 17, 2020

MikroTik - No option to adjust MTU for IPSEC Tunnel to troubleshoot perf

Q: Anyone have some experience with MikroTik device(s) provide some insight if MTU is adjustments for IPSEC overhead is possible?

I've used alot of firewalls over the years (Checkpoint,PaloAlto, Cisco ASA/FP, Openswan, Fortinet, etc) but I've run into a vendor that uses MikroTik as their router/firewall that we work with.

I'm terminating an IPSEC tunnel from PAN-OS to the MikroTik device and the IPSEC tunnel is performing really bad for TX. Wanted to match the MTU 1400 on the PAN-OS side to the MikroTik device but there doesn't seem to be support to do this without doing it their L3 WAN interface for all their traffic.

The tunnel is crawling at TX = 1.5mbps and RX = 32mbps (10 sample sizes over 1 min intervals)

I can get

ping 192.168.1.1 -s 1476 over the tunnel 1477 is where DF bit kicks in.

Read through some of the docs myself and I don't see any IPSEC support.

https://help.mikrotik.com/docs/display/ROS/MTU+in+RouterOS#heading-AdvancedSetupExamples



No comments:

Post a Comment