MikroTik VPN Comparison


This is a  comparison of the major MikroTik tunneling protocols. The values in the table below reflect the way that Mikrotik can handle these tunnels as opposed to how the tunnels might behave when in strict accordance with their respective standards. For example, as per the published standard L2TP is not an encrypted tunnel, but when used between two MikroTik routers the L2TP tunnel can use the same encryption as PPtP.

 

Tunnel Introduced

Authentication

Layer

Port Port can be
changed
Default
MTU
Authentication
Protocols
Encryption
Protocols
Encryption
Level
Clients can
call home
Bridging or BCP
Supported
GRE Oct 1994 3 N/A No 1476 N/A N/A None No No
IPIP Oct 1996 3 N/A No 1480 N/A N/A None No No
VLAN 1998 2 N/A No 1500 N/A N/A None N/A Yes
IPSEC Nov 1998 3 UDP 500 Yes N/A None
MD5
SHA1
SHA256
SHA512
None
DES, 3DES, AES,
Blowfish, Twofish,
Camellia
None, 64bits, 128bit,
192bit, 256bit
Yes No
PPPoE Feb 1999 2 N/A N/A 1480 PAP
CHAP
MSCHAP v1
MSCHAP v2
None
MPPE 40bit
MPPE 128bit
None or
40bit or 128bit
N/A Yes
PPtP July 1999 3 TCP 1723 No 1450 PAP
CHAP
MSCHAP v1
MSCHAP v2
None
MPPE 40bit
MPPE 128bit
None or
40bit or 128bit
Yes Yes
L2TP Aug 1999 3 UDP 1701 No 1450 PAP
CHAP
MSCHAP v1
MSCHAP v2
None
MPPE 40bit
MPPE 128bit
None or
40bit or 128bit
Yes Yes
OVPN May 2001 3 TCP 1194 Yes 1500 None
MD5
SHA1
None
Blowfish 128
AES 128
AES 192
AES 256
None
128bit, 192bit, or
256bit
Yes Yes
EOIP Sept 2002 3 N/A No 1458 N/A N/A None No Yes
SSTP Jan 2007 3 TCP 443 Yes 1500 PAP
CHAP
MSCHAP v1
MSCHAP v2
TLS 1.0
None
MPPE 40bit
MPPE 128bit
TLS 1.0
None or
40bit or 128bit
or 256bit
Yes Yes

 

All tunnels have an affect upon throughput. In the table below, I’ll show how much throughput is lost per tunnel type. These tests were not conducted to see what the max throughput between the routers could have possibly have been, but rather to show the loss of throughput when traversing a tunnel. The tests were conducted between two 8 port CRS routers running ROS 6.27. Each of the tunnels was using its highest encryption method. Your results will probably vary a little but the % of loss should be somewhat similar. A lower encryption standard should give more favorable results, but that won’t always be true.

Update 9-19-2018:  ROS has made many improvements and these test results are not accurate anymore. Fast Track and other features can produce much higher throughput values then what was true in ROS 6.27. To test your tunnel, first do a bandwidth test between the IPs that are being used to connect the tunnel. Frequently, this will be the public IP address of the two routers. Then test between the IP addresses used on the tunnel to compare the results. 

Tunnel Initial
Bandwidth
With Tunnel % of Loss
GRE 691M RX 195M RX 71.80%
IPIP 691M RX 204M RX 70.50%
VLAN 691M RX 582M RX 15.80%
IPSEC 691M RX 667M RX 3.50%
PPPoE 691M RX 94M RX 86.40%
PPtP 691M RX 61M RX 91.20%
L2TP 691M RX 59M RX 91.50%
OVPN 691M RX 29M RX 95.90%
EOIP 691M RX 190M RX 72.50%
SSTP 691M RX 29M RX 95.80%

 

MikroTik Manual Pages

PPP

PPTP

PPPoE

L2TP

SSTP

OVPN

IPIP

GRE

EOIP

VLAN

IPSEC

 

Authentication/ Encryption Protocols

PAP

CHAP

MSCHAP v1&2

DES

3DES

TLS

MD5

SHA1

MPPE

Blowfish 128

Twofish

AES

 


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

10 thoughts on “MikroTik VPN Comparison

  • Rafael

    Hello,

    Thanks you for this great chart !

    which CRS devices are used for this test ? Do they have Hardware encryption support ?

    Best regards.

    • rickfrey1000 Post author

      Thanks! I used the CRS109-8G-1S-2HnD-IN and yes, they do have encryption support. I don’t believe that support covers everything, but I know that it does apply to IPSEC specifically.

      • Stefan H

        I’m looking for the same. In my AVM Fritzbox router there’s a VPN option only based on IPSec. For the MT devices I only find solutions in combination with e. g. L2TP, but due to a huge bandwidth loss I’d like to use a IPSec-only tunnel (from my mobile to my home network, perhaps with a splittend traffic). In combination wit the L2TP I’m not even able to use websites with a lot of pictures or videos anymore.

        Is a IPSec-only VPN possible on the MT routers?

        Thanks in advance and best regards
        Stefan

        • rickfrey1000 Post author

          No, MikroTik can handle a very impressive number of tunnels and your right, pure IPSEC is the way to go. MikroTik can handle pretty much anything IPSEC related. You may want to use a 3rd party client (the Shrew is free) for the IPSEC tunnel to connect back to the router. That way you don’t have to worry about updates breaking the tunnels, which has been an ongoing problem with many of the OSs.

  • Kir

    Talking about IPSec, how is it possible to encrypt traffic at such high speed? According to your results, there is almost no speed degradation comparing to initial BW

    • rickfrey1000 Post author

      The reason for that is that IPSEC is able to utilize an encryption co-possessor on the router. Not all routers have that feature. If these had not, their throughput would have been much worse.

  • Stefan

    Hi Rick, can you please share the configuration for an IPsec only VPN (without L2TP or similar)? I can’t find any tutorial in the internet for a VPN between routerOS and iOS without L2TP – and the bandwith with this combination is really bad.

    Thank you!