Solved Change Strongswan ciphersuite and enable MOBIKE to get rid of terrible VPN speeds

[CB7]

-EDIT- I fixed this myself, see 2nd post in the thread.

Hello,

Running merlin; but I believe this is a stock firmware thing? So posting here, sorry if wrong board.
I'm using the ASUS' built-in Strongswan (so enabling IPSEC VPN with IKEv2 in the ASUS admin panel) and its speeds are absolutely atrocious for some reason. (Eg: without VPN I have a downlink of 480MBit/sec and 25MBit/sec up on 5G; but with VPN enabled it's only 43MBit/sec down and 5MBit/sec up. (Ref: I have 1000/1000 symmetric fiber and speedtests at the home connection are 800MBit/sec on average (up/down), so that's not the problem)). I didn't have this issue when running it on a standalone virtual machine, so looking in to that now.

However; upon analyzing its config, I realized this is part of ASUS stock firmware and therefore I probably don't have unlimited freedom with modifying the configuration.
As such I have two questions I hope someone may be able to answer:

1.) MOBIKE is disabled, does anyone know of any objection against enabling it on ASUS routers?
2.) I noticed the ciphersuite in use is deprecated and not the best for performance. It is using "aes256-sha1-modp1024" which is both a crappy hashing algorithm as well as poor DH groups. I'd prefer using ChaCha20 but I'm not sure if that's a good fit for the ASUS hardware, so I suppose aes256-sha256-modp2048 would have to do; or maybe for performance reasons go for aes256-sha256-ecp256 instead. I was also wondering for this one if anyone knows if there are any major objections in to doing so or that it should be smooth sailing. (Or maybe someone tried something different already, please do tell. )

Hope its not too much of a niche question. Thanks in advance!

-edit-
Ah... As it turns out, the router keeps resetting this file whenever it reboots.

 

[CB7]

Alright, so revisiting this anyway as I couldn't live with the terrible speeds I was getting from the IKEv2 on my AX3000Gv2:
- The first thing I did was enable MOBIKE as this improves stability AND allows for much easier transition between 5G and WiFi (or when roaming: different carrier).
- I modified the DPD settings to be a.) less aggressive (so less overhead), b.) try to re-establish connection instead of clearing the peer immediately.
- I changed the ciphersuites. The ciphers are based around ChaCha20 which is very lenient on CPU, very fast and considered highly secure. I forced the same type on ESP to ensure consistency and similar speed on that front.

This increased the speed on 5G<>VPN from an average of ~30MBit/sec up/down to an average of ~90MBit/sec up/down (with peaks to 130MBit, where before 30 was the max I could squeeze out of it). This is still nowhere near the ~900MBit/sec on average I get on WiFi and the +/- ~300MBit/sec average I do on 5G without the VPN enabled: but at least now its an acceptable speed, lower latency and for me this is more than ample speed for daily usage on my iPhone.

If you wish to do the same and make it permanent, here is what I did:

In the "conn Host-to-Netv2" section of /tmp/etc/ipsec.conf, modify the following variables to read like this:

  mobike=yes
  ike=chacha20poly1305-prfsha256-curve25519
  esp=chacha20poly1305
  dpdtimeout=30s
  dpdaction=restart
  dpddelay=10s

You can open the file with nano (nano /tmp/etc/ipsec.conf), make the changes and then save & exit with CTRL+X.
(Note that "esp", contrary to the other variables, will not be defined already. Its a new addition to ensure consistency in ciphers; so copy/paste that in below the ike variable. Manually change the rest.)
(Note2: if you so happen to have an ASUS router with AES-NI (hardware acceleration for AES), then I'd suggest using aes256-sha256-ecp256 for ike and aes256gcm128 for esp instead of ChaCha20.)
If you want to test the new configuration, run command: ipsec stop && sleep 2s && ipsec start

To make it permanent and survive a reboot, following changes were made (note: this assumes you already have the /jffs/configs and /jffs/scripts directories):
after making the changes to ipsec.conf described above, do the following:
Run command: cp /tmp/etc/ipsec.conf /jffs/configs/ipsec.conf
Run command: touch /jffs/scripts/strongswan.sh && chmod +x /jffs/scripts/strongswan.sh
Then: nano /jffs/scripts/strongswan.sh and input:

#!/bin/sh

ipsec stop
sleep 1s
echo > /etc/ipsec.conf
cp -f /jffs/configs/ipsec.conf /tmp/etc/ipsec.conf
sleep 1s
ipsec start

Then, Run command: echo "/bin/sh /jffs/scripts/strongswan.sh # Modify ipsec.conf to ChaCha20 and enable MOBIKE" >> /jffs/scripts/services-start

That's it. Your ciphersuite is now changed to use ChaCha20, MOBIKE is enabled and the changes will be made permanent and survives a reboot of the router. (Well it doesn't exactly survive, rather: jffs scripts will undo the damage done by a reboot. )
If anyone has a better way of of doing this, please feel more than free to chime in.