Posts: 9
Joined: Thu Aug 11, 2022 11:28 pm

RouterBOARD with highest IPSec throughput for single SA

Fri Aug 12, 2022 12:26 am

I'm getting about 425-450 Mbps max throughput over single IPSec SA using IKEv2, AES256, SHA256 between a RB4011 and Palo Alto 7000, regardless of throughput test tool.

I see one core hit 100% CPU on this test with the RB4011, so I assume it's maxed out?

The RB4011 has 1 Gb symmetric Internet and the PA 7000 has a 100 Gb symmetric Internet.

Is there a Mikrotik platform that can do more than 425-450 Mbps.on a single SA using IKEv2, AES256, SHA256.
Forum Guru
Posts: 1212
Joined: Mon Sep 23, 2019 1:04 pm

Re: RouterBOARD with highest IPSec throughput for single SA

Fri Aug 12, 2022 1:29 pm

How was the test done? Exact setup, devices.
Posts: 39
Joined: Wed Mar 02, 2022 5:08 pm
Location: USA

Re: RouterBOARD with highest IPSec throughput for single SA

Fri Aug 12, 2022 11:31 pm

According to MikroTik's specifications ... estresults, RB4011 should handle 2016 Mbps with AES256+SHA256, but that is for 256 tunnels and packet size of 1400. It lists single tunnel performance of 1577 Mbps for different configuration (really, shouldn't matter that much as it's offloaded). However, the 512 bytes column is usually closer to what you get in real world. And it's listed as 578 Mbps, much closer to your results. Their tests are likely done with an empty configuration, no firewall etc.

In my limited experience with IPSec on MikroTik, it's usually bound by single-threaded network operations rather than encryption itself, which is hardware accelerated on most models. So a single tunnel performance is not leveraging the full hardware potential.

I know it's a different beast, but I'm sure WireGuard could push a lot more on RB4011 thanks to better multi-threading. WireGuard can work with FastTrack enabled, that helps a bit too. I could achieve over 300 Mbps iperf3 between two hAP ac2, which are at least 50% weaker than an RB4011.

RB5009 has a better CPU over RB4011 but same frequency, so it's not clear how much better it is in single-threaded operations. My guess something like CCR2004-16G-2S+ would be noticeably better at this, but I don't own it so can't say for sure.
Forum Guru
Posts: 2552
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia

Re: RouterBOARD with highest IPSec throughput for single SA

Sat Aug 13, 2022 1:12 am

Typically in MikroTik routers single tunnel IPsec performance is tied to single core performance and off course IPsec hardware acceleration

Currently, the device declaring the highest single tunnel performance is CCR2004 in both flavors CCR2004-16G-2S+ and CCR2004-1G-12S+2XS declaring around 50% more than rb4011

In theory, the champion will be the CCR2116 because has the best CPU and SOC but there is no published data because is a new device and is not confirmed if IPsec acceleration is fully functional on it yet

Same situation with rb5009 and CCR2216

Keep in mind that rb5009, ccr2004, ccr2116 and ccr2216 only works with RouterOS v7.x

