Established Member
LittleBill
Posts: 1,088
Registered: ‎06-18-2010
Posts: 1088
Kudos: 174
Solutions: 6
Registered: 06-18-2010

Re: Edge Router; Vpn throughput?

I do ipsec and then pptp over the top. Or rather, I do pptp tunnels and then to transport mode ipsec between the wan addresses. pptp 'tunnels' are much easier to work with because they can be used for OSPF while ipsec 'policy' in mikrotik is a PITA. No encryption on the pptp as it would be redundant. Anyway, I suppose that means a bit more overhead...


our uplink is slow, from my reading l2tp has a higher bandwidth overhead thus we generally use pptp, although we do have l2tp shared key (i know bad, still haven't learned certificates yet) dial in for those who are blocked on pptp
Member
gsloop
Posts: 136
Registered: ‎03-10-2011
Posts: 136
Kudos: 27
Registered: 03-10-2011

Re: Edge Router; Vpn throughput?

Just curious, is this bi-directional or uni?


IPerf/JPerf and pushing all the traffic one way.

So, aggregate was about 20-25Mb/s, with the CPU's pegged out at 100% on the RB.

This was a RB450G to RB450G setup, like so:
JPerf/Client --- 1Gb/s --- RB450G --- GBE-Switch --- RB450G -- JPerf/Client

There was an IPSec tunnel built between the two RB450G's, using SHA-1/AES256
Established Member
rebelwireless
Posts: 1,118
Registered: ‎02-09-2010
Posts: 1118
Kudos: 236
Solutions: 4
Registered: 02-09-2010

Re: Edge Router; Vpn throughput?

our uplink is slow, from my reading l2tp has a higher bandwidth overhead thus we generally use pptp, although we do have l2tp shared key (i know bad, still haven't learned certificates yet) dial in for those who are blocked on pptp


l2tp over ipsec I assume? If so, shared key isn't really that bad.

l2tp, being layer 2, is going to send arps and other layer2 traffic that is probably not useful for a routed VPN network. pptp on the other hand is not very secure by itself, though it is really easy to work with.
Member
gsloop
Posts: 136
Registered: ‎03-10-2011
Posts: 136
Kudos: 27
Registered: 03-10-2011

Re: Edge Router; Vpn throughput?

I take it you are not a big normis fan huh? :manwink:

Yeah, man that guy has an attitude. I've got a colleague who is Latvian and his dad is from the "old country" and is the nicest guy ever - so it's not a Latvian thing, I don't think.
Funny thing is - when I submit tickets I almost always get nice response. But the forum? It's like it's ruled by the BOFH or something.
-Greg
Member
gsloop
Posts: 136
Registered: ‎03-10-2011
Posts: 136
Kudos: 27
Registered: 03-10-2011

PPTP - Please don't...

PPTP?
If you care about security, please don't.

PPTP was demonstrated as broken by design by Moxie Marlinspike about a month ago.

PPTP = VERY BAD.

I can provide a linky if you like, though a google search on cloudcracker should do you.

-Greg
Established Member
rebelwireless
Posts: 1,118
Registered: ‎02-09-2010
Posts: 1118
Kudos: 236
Solutions: 4
Registered: 02-09-2010

Re: Edge Router; Vpn throughput?


Funny thing is - when I submit tickets I almost always get nice response. But the forum? It's like it's ruled by the BOFH or something.
-Greg


I can echo that statement...

I'm not claiming ubiquiti is perfect, but the level of 'class' for UBNT-* staff in their forums is top notch and they are much more active in the forums.
Established Member
rebelwireless
Posts: 1,118
Registered: ‎02-09-2010
Posts: 1118
Kudos: 236
Solutions: 4
Registered: 02-09-2010

Re: Edge Router; Vpn throughput?

PPTP?
If you care about security, please don't.

PPTP was demonstrated as broken by design by Moxie Marlinspike about a month ago.

PPTP = VERY BAD.

I can provide a linky if you like, though a google search on cloudcracker should do you.

-Greg


ditto.

LittleBill, you might consider just adding a layer of ipsec.
Established Member
rebelwireless
Posts: 1,118
Registered: ‎02-09-2010
Posts: 1118
Kudos: 236
Solutions: 4
Registered: 02-09-2010

Re: Edge Router; Vpn throughput?

oh, did I mention that openvpn over udp is the solution to your....pro.....uh..dang, that isn't an option on mikrotik. looks like you need some ERLites :manwink:
Established Member
LittleBill
Posts: 1,088
Registered: ‎06-18-2010
Posts: 1088
Kudos: 174
Solutions: 6
Registered: 06-18-2010

Re: Edge Router; Vpn throughput?

pptp was demonstrated broken i believe in 2002,
how do u add ipsec over pptp? can the standard microsoft client handle this?
Member
gsloop
Posts: 136
Registered: ‎03-10-2011
Posts: 136
Kudos: 27
Registered: 03-10-2011

Re: Edge Router; Vpn throughput?

oh, did I mention that openvpn over udp is the solution to your....pro.....uh..dang, that isn't an option on mikrotik. looks like you need some ERLites :manwink:


I'm using OpenVPN on RB's pretty successfully. There's a lot there that sucks, but you can get TAP connections working fairly well. Just don't expect large throughput.

In my testing on the RB450G, I couldn't ever get OpenVPN to peg the CPU, and throughput was a little less than half as much as I could get in an IPSec tunnel. But since the CPU was only 50% utilized I wasn't surprised.

I opened a ticket and never got any sane response on it. It's simply languished since then, and I'm of the opinion that getting any answers about whacked OpenVPN issues is about as likely as getting hit by a comet on a collision course with earth or something.
Member
gsloop
Posts: 136
Registered: ‎03-10-2011
Posts: 136
Kudos: 27
Registered: 03-10-2011

Re: Edge Router; Vpn throughput?

pptp was demonstrated broken i believe in 2002,


That was for short pre-shared keys, IIRC.

This final nail was for breaking any length PSK in less than 24 hours - once you capture the PPTP handshake.
Established Member
rebelwireless
Posts: 1,118
Registered: ‎02-09-2010
Posts: 1118
Kudos: 236
Solutions: 4
Registered: 02-09-2010

Re: Edge Router; Vpn throughput?

I'm using OpenVPN on RB's pretty successfully. There's a lot there that sucks, but you can get TAP connections working fairly well. Just don't expect large throughput.

In my testing on the RB450G, I couldn't ever get OpenVPN to peg the CPU, and throughput was a little less than half as much as I could get in an IPSec tunnel. But since the CPU was only 50% utilized I wasn't surprised.

I opened a ticket and never got any sane response on it. It's simply languished since then, and I'm of the opinion that getting any answers about whacked OpenVPN issues is about as likely as getting hit by a comet on a collision course with earth or something.


Mikrotik has no interest in supporting UDP transport for openvpn. If they would, that throughput would go up to ipsec levels (or very near) but with openvpn you get the 'dial in' type simplicity that pptp offers today, but you get secure communications too.
Established Member
rebelwireless
Posts: 1,118
Registered: ‎02-09-2010
Posts: 1118
Kudos: 236
Solutions: 4
Registered: 02-09-2010

Re: Edge Router; Vpn throughput?

pptp was demonstrated broken i believe in 2002,

how do u add ipsec over pptp? can the standard microsoft client handle this?



for client connections:
l2tp over ipsec. supported on windows, linux, osx, etc.
sstp. also support on windows, linux, osx, etc

or
get edgerouter and do openvpn over udp. clients for pretty much anything.
Established Member
LittleBill
Posts: 1,088
Registered: ‎06-18-2010
Posts: 1088
Kudos: 174
Solutions: 6
Registered: 06-18-2010

Re: Edge Router; Vpn throughput?

so u can't do pptp over ipsec and use the windows client?
i know u can do l2tp over ipsec i do that now
not sure what sstp is
Established Member
rebelwireless
Posts: 1,118
Registered: ‎02-09-2010
Posts: 1118
Kudos: 236
Solutions: 4
Registered: 02-09-2010

Re: Edge Router; Vpn throughput?

so u can't do pptp over ipsec and use the windows client?

i know u can do l2tp over ipsec i do that now

not sure what sstp is


SSTP is a tunnel interface over SSL

you can do ptpp over ipsec, but you would basically just be creating 2 tunnels.
l2tp is fine and it's probably not much in extra overhead for client>VPN concentrator, it's more site-2-site tunnels where there are a lot of devices arping or doing other l2 stuff.
Member
gsloop
Posts: 136
Registered: ‎03-10-2011
Posts: 136
Kudos: 27
Registered: 03-10-2011

Re: Edge Router; Vpn throughput?

for client connections:
l2tp over ipsec. supported on windows, linux, osx, etc.
sstp. also support on windows, linux, osx, etc

Because of the lack of IPSec Policy matching, I don't consider L2TP or IPSec secure for road-warrior support.
SSTP seems like it's been really unstable according to many reports since something like 5.14 or so.
So, IMO, that leaves OpenVPN. :manhappy:
I should note that the above applies to Routerboard not ER. We'll see what ER brings once we can put one through the paces.
---
But yeah, once I am able to get ER with 5+ ports, it's likely that MTK is toast for any place I'd consider using it.
Established Member
rebelwireless
Posts: 1,118
Registered: ‎02-09-2010
Posts: 1118
Kudos: 236
Solutions: 4
Registered: 02-09-2010

Re: Edge Router; Vpn throughput?

Because of the lack of IPSec Policy matching


you can match L2TP with an ipsec policy on mikrotik, you just have to make a policy for udp1701 and then another for protocol 50, which you can type in even though it isn't on the pulldown.
Member
gsloop
Posts: 136
Registered: ‎03-10-2011
Posts: 136
Kudos: 27
Registered: 03-10-2011

Re: Edge Router; Vpn throughput?

I think you misunderstand.
IPSec traffic just "shows up" on the WAN link.
I.e. say the IP of the connecting IPSec RW is 1.2.3.4 - then you'll just see traffic with a source IP of 1.2.3.4 show up on the WAN.
Since the road-warrior client can come from anywhere, IP-wise, you have to have a rule that goes something like this in your FW rules.
Allow from
WAN, Any Src-port, Any Src-IP
TO
LAN any dest-port Any dest-IP.
And forget about having a final "block-all-that-isn't-explicitly-allowed" - because the rule above nukes all that.
That's a security nightmare! It's essentially a blanket allow all from any WAN address to any LAN address.
What you'd do on Linux is with an IPSec policy match.
Thus: If the traffic was from an IPSec connection, allow it... It has a --policy and it's --ipsec traffic THEN allow it to go through.
Like this: twobit.us/blog/2010/11/managing-ipsec-packet-with-iptables/ See the "policy match" section. Makes it perfectly clear.]
That's way different than what happens on RoS.
---
If you could do that, you could ensure you only allow L2TP traffic that *actually* came over IPSec. Without it? No way to tell.
With it, you'd have a FW rule that says: if this UDP/1701 traffic came over the IPSec tunnel allow it. If not deny it. Without it? There's just no way to make that determination.
So, when they say, "can't do that" - I tend to believe 'em, since it's so _not_ in their interest to say that.
-Greg
Veteran Member
Sirhc
Posts: 5,719
Registered: ‎09-02-2009
Posts: 5719
Kudos: 1924
Solutions: 20
Registered: 09-02-2009

Re: Edge Router; Vpn throughput?

awesome. are you by any chance related to 'the stig' from top gear?

He keeps saying he is not but when you go to Ubiquiti's office in SJ he is always walking around in this outfit and NEVER lifts his visor. It is a little dis-concerning!

When you ask him why he always says it is because the EdgeMAX Routers are soo fast!
RF Armor Shield Kits for Ubiquiti M gear
www.rfarmor.com
They really do work!
Regular Member
mhotel
Posts: 730
Registered: ‎07-03-2008
Posts: 730
Kudos: 158
Solutions: 4
Registered: 07-03-2008

Re: Edge Router; Vpn throughput?

SSTP is a tunnel interface over SSL


Yes, and it would be nice to have!