IKEv2 is a tunnelling protocol within the IPSec protocol suite.

The Problem
Using MikroTik L009UiGS-2HaxD, it is possible to establish an IKEv2 secured tunnel to VPN servers using EAP authentication. The problem is that network speed becomes extremely slow.
Speed test without the VPN on a Cat5e wired device:
$ speedtest-cli
Retrieving speedtest.net configuration…
Testing from ISP (redacted)…
Retrieving speedtest.net server list…
Selecting best server based on ping…
Hosted by Swish Fibre (London) [137.28 km]: 34.456 ms
Testing download speed………………………
Download: 338.45 Mbit/s
Testing upload speed………………………
Upload: 37.54 Mbit/s
Speed test with IKEv2 VPN on the same Cat5e wired device:
$ speedtest-cli
Retrieving speedtest.net configuration…
Testing from Hydra Communications (redacted)…
Retrieving speedtest.net server list…
Selecting best server based on ping…
Hosted by Swish Fibre (London) [1.30 km]: 673.6 ms
Testing download speed………………………
Download: 7.56 Mbit/s
Testing upload speed………………………
Upload: 0.39 Mbit/s
The Workaround
Disable the fasttrack firewall rule. Change the rule number to match that of your MikroTik.
/ip firewall filter disable numbers=20

Update IPSec policy to add a rule action=none for LAN.
/ip ipsec policy
add action=none dst-address=10.11.1.0/24 src-address=0.0.0.0/0 place-before=1 disabled=no

Replace dst-address=10.11.1.0/24 with your own local network address range. The policy for action=none should be below the default but above any added IKEv2 policy lines. See example below.
/ip ipsec policy print
Flags: T – TEMPLATE; D – DYNAMIC, A – ACTIVE; * – DEFAULT
Columns: PEER, TUNNEL, SRC-ADDRESS, DST-ADDRESS, PROTOCOL, ACTION, LEVEL, PH2-COUNT
# PEER TUNNEL SRC-ADDRESS DST-ADDRESS PROTOCOL ACTION LEVEL PH2-COUNT
0 T * ::/0 ::/0 all
1 0.0.0.0/0 10.11.1.0/24 all none
2 T 0.0.0.0/0 0.0.0.0/0 all
3 D VPN yes 10.6.0.14/32 0.0.0.0/0 all encrypt unique 1

Network speed should be much better now.
$ speedtest-cli
Retrieving speedtest.net configuration…
Testing from Hydra Communications (redacted)…
Retrieving speedtest.net server list…
Selecting best server based on ping…
Hosted by HighSpeed Office Limited (London) [1.30 km]: 32.222 ms
Testing download speed………………………
Download: 54.83 Mbit/s
Testing upload speed………………………
Upload: 35.47 Mbit/s
References
https://forum.mikrotik.com/viewtopic.php?t=154449

- A word from our sposor -

Lisenet.com :: Linux

IKEv2 VPN Unusably Slow on MikroTik | Lisenet.com :: Linux | Security

Previous article
4 MUST Have Hex Editors For Ubuntu Linux
Next article
Zed – SparkyLinux

© Copyright - 2023- 2025. All Rights Reserved.