WIKIABOUT

FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14455 questions

17168 answers

28195 comments

0 members

Most popular tags

rut955 rut240 rut950 rutx11 rms vpn to openvpn wifi not sms trb140 firmware connection - ipsec on rutx12 rutx09 modbus
We are migrating to our new platform at https://community.teltonika.lt. Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.

RUTXR1 IPSEC specifications and performance

+1 vote
753 views 5 comments
by anonymous

Hello. I am testing RUTXR1 router (rutx_r_00.02.06.1) and have several questions:

1) What type of IPSEC connections RUTXR1 supports: Gateway to Gateway, Client to Gateway?

2) Is it possible to configure "unsupported" in Web GUI IPSec connection type via command line (via config files)?

3) Please state performance for IPSec: how many Gateway-to-Gateway tunnels can be configured/run? What are IPSec throughput (AES-128-CBC + SHA256, 1400 byte), for example?

by anonymous

If somebody interested, here is my tests of Teltonika RUTXR1 with firmware RUTX_R_00.02.06.1.

IPSEC Site to Site IKEv2 @ 3DES:

MD5/3DES/MODP1024 - 13.2 Mbit/seconds (TCP send) CPU Load ~30%

MD5/3DES/MODP1024 - 16.8 Mbit/seconds (TCP receive)

IPSEC Site to Site IKEv2 @ AES:

SHA-256/AES256/MODP2048 - 26 Mbit/seconds (TCP send) CPU Load ~12%

SHA-256/AES256/MODP2048 - 25 Mbit/seconds (TCP receive)

For reference, here is results for Mikrotik hAP ac^2 (arm) v7.1beta6

IPSEC Site to Site IKEv2 @ AES:

SHA-256/AES256/MODP2048 - 72-79 Mbit/seconds (TCP send) CPU Load ~24%

SHA-256/AES256/MODP2048 - 49-50 Mbit/seconds (TCP receive)

Question of the day: Why RUTXR1 was outperformed by hAP ac^2 ?

RUTXR1 hAP ac^2
CPU Cortex A7 IPQ-4018 (Cortex A7)
CPU freq 717 Mhz 716 Mhz
CPU core 4 4
RAM, MB 256 128
FLASH, MB 265 16
Price, Eur :) 367 52

by anonymous
Because the Microtik device use hardware crypto (and NAT ?) offloading and the RUTX doesn't (true for the RUTX11, not sure about the RUTXR1).
by anonymous
Please, can you clarify, why not? Is it because of:

- hardware inside RUTX???

- OpenWRT itself

- Teltonika's implementation of OpenWRT?
by anonymous
AFAIK it is not an hardware issue, but the relevant qca drivers must be included / ported and the appropriate NPU firmware loaded into the processing subsystems.

1 Answer

0 votes
by anonymous

Hello,

RUTXR1 supports point-to-point IPsec VPN configuration. You can review configuration details right here: https://wiki.teltonika-networks.com/view/RUTXR1_VPN#IPsec

What do you mean by saying "unsupported"? If you are talking about encryption algorithms then you cannot.

RUTXR1 can support more than 1k IPsec connections. These limits are just for established connections and do not guarantee flawless performance when real-world traffic is introduced, which will drop these numbers depending on how heavy the load is.

Note, that when approaching the client count limit, the router may start having performance issues and services might even crash. Also these tests were done in mostly an ideal scenario, with only default services running, so enabling additional services will most likely reduce the client count limit. Regarding the throughput, we do not have a test report for RUTXR1 yet.

Regards.

by anonymous
I am interested in Client to Gateway connection with user authentication. So far I understood, what only gateway to gateway ipsec connections are possible (at least via GUI). Since RUTXR1 based on OpenWRT and OpenWRT use strongSwan, my question is - am i able to setup ipsec config not supported by GUI, but supported by OpenWRT/strongSwan?

Please answer question about ipsec throughput.