Edgerouter Lite L2TP IPSEC VPN high CPU usage

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › Edgerouter Lite L2TP IPSEC VPN high CPU usage

wratterus

1687 posts

Uber Geek
+1 received by user: 678

#259951 1-Nov-2019 17:20

I'm experimenting with a L2TP VPN to an Edgerouter Lite - have setup as per Ubiquiti's instructions here.

Router is on 2Degrees Gigabit Fibre and a speedtest onsite yields around 870/480 which is great.

Have made sure hardware offloading is enabled for IPSEC and gre, but only getting max throughput from a Windows client of around 45mbps (when copying a large file), and this is maxing out the CPU on the Edgerouter so I'm thinking the traffic is not actually being offloaded.

Has anyone else setup something similar and can comment on the throughput you were able to achieve?

Any comments or thoughts appreciated. I'm not expecting miracles but was expecting a bit more than 45mbps.

Edit - I should say I've had a reasonably good look through Ubiquiti's forums but it's a bit hard to sift through the thousands of posts about offloading being broken on the ER-X.

rscole86

4999 posts

Uber Geek
+1 received by user: 462

Moderator

Trusted

Lifetime subscriber

#2347391 1-Nov-2019 20:12

I thought that the Edgerouter didn't do hardware offloading of VPN traffic? But maybe that was only if using openvpn?

fe31nz

1295 posts

Uber Geek
+1 received by user: 423

#2347435 2-Nov-2019 02:00

rscole86: I thought that the Edgerouter didn't do hardware offloading of VPN traffic? But maybe that was only if using openvpn?

There are two different things involved here - offloading (where the hardware routes the packets without involving the CPU) and use of the encryption hardware. They are two different bits of hardware. An Edgerouter Lite can only do hardware encryption for a limited range of available encryptions. It does do it for IPSEC, but not for OpenVPN. For IPSEC, you need to enable it using a "set system offload ipsec" command. You also need to ensure that hardware offloading of the routing is also happening, using the "set system offload ipv4" and "set system offload ipv6" commands. The "show ubnt offload" command shows what is enabled. Here is what I am get from that command:

IP offload module : loaded
IPv4
forwarding: enabled
vlan : enabled
pppoe : enabled
gre : disabled
bonding : disabled
IPv6
forwarding: enabled
vlan : disabled
pppoe : enabled
bonding : disabled

IPSec offload module: loaded

Traffic Analysis :
export : enabled
dpi : enabled
version : 1.480

The "bonding" options are new in the last firmware version or two, so I do not know anything about them. For IPv6 offloading, "vlan" and "pppoe" are mutually exclusive, which is a pain if you want to use IPv6 VLANs and your ISP requires PPPoE. For IPv4, you can and should have forwarding, vlan and pppoe offloading enabled at all times unless you are trying to debug traffic on your ERL by capturing the packets there with tcpdump, tshark or the like. Without full offloading, the maximum throughput is pitiful, but the CPU can see all the packets and capture them for you.

Tinkerisk

4809 posts

Uber Geek
+1 received by user: 3668

#2347438 2-Nov-2019 06:26

wratterus:

Has anyone else setup something similar and can comment on the throughput you were able to achieve?

Any comments or thoughts appreciated. I'm not expecting miracles but was expecting a bit more than 45mbps.

For the ER3 139-123 Mb/s for IPSEC, depending of en/decryption, load is just below 100%

For the ERX 254-199 Mb/s for IPSEC, depending of en/decryption, load is 40-60%

For the ER4 446Mb/s for IPSEC for en/decryption, load is about 50%

Qui nihil scit, omnia credere debet. - He who knows nothing must believe everything.
Firewalls do NOT stop dragons.
Avoid Big Tech!
In effect we have everything to hide from someone, and no idea who someone is.