Hardware offload for IPsec for new HEX router

Begetan · October 25, 2017, 5:19pm

I’v just got new RB HEX gr3 and performed test for IPSec site-to-site VPN configuration. I am using ROS 6.40.4 for test.

It’s up to 100-120 Mbit with cpu one core utilization up to 100%. It looks like there is no hardware offload enabed.

I have 300 Mbit with hardware offload enabled and 10% of CPU utilisation on some competiting product, so defenetlz can say that there is no offload.

How to enable, use and check hardware offload for IPSec configuration on this board?
I suppose it should be added checkbox for the routerboard setting to manage it because enabling offload can produce some regression and crash.

Paternot · October 25, 2017, 5:43pm

This is my hEX3, with IPsec and hardware offload.
ipsec_hardware.png
ipsec → Installes SAs

The “H”, in the first column, denotes hardware offload. This is automatically enabled, if the right hardware and ciphers are used.

Begetan · October 26, 2017, 11:52am

There is no flag ‘H’ in my SA Table.

Could you share you configuratuon for the Proposal and Peers chiphers?

Here is my configuration

/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc lifetime=1d

/ip ipsec peer
add address=1.1.1.1/32 enc-algorithm=aes-128 generate-policy=port-strict local-address=2.2.2.2 nat-traversal=no
 
/ip ipsec policy
add dst-address=1.1.1.1/32 level=unique protocol=ipencap src-address=2.2.2.2/32

/system routerboard print 
       routerboard: yes
             model: RouterBOARD 750G r3
     serial-number: 6F3807E974E1
     firmware-type: mt7621L
  factory-firmware: 3.35
  current-firmware: 3.41
  upgrade-firmware: 3.41

Paternot · October 26, 2017, 12:26pm

I’m using L2TP over IPsec. Should make no difference to the hardware offloading. My configuration is:

/ip ipsec proposal print
 0  * name="default" auth-algorithms=sha1 enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc lifetime=30m pfs-group=modp1024
 
 /ip ipsec peer print
  1   R ;;; Meu na mao
       address=::/0 passive=yes auth-method=pre-shared-key secret="<the secret>" generate-policy=port-strict policy-template-group=default exchange-mode=main-l2tp send-initial-contact=yes nat-traversal=no 
       proposal-check=obey hash-algorithm=sha1 enc-algorithm=aes-256,aes-192,aes-128 dh-group=modp2048,modp1024 lifetime=1d dpd-interval=2m dpd-maximum-failures=5
       
       /ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default 
 0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes 

 1  DA  src-address=<server IP> src-port=1701 dst-address=<client 1 IP> dst-port=1701 protocol=udp action=encrypt level=unique ipsec-protocols=esp tunnel=no proposal=default ph2-count=1 

 2  DA  src-address=<server IP> src-port=1701 dst-address=<client 2 IP> dst-port=1701 protocol=udp action=encrypt level=unique ipsec-protocols=esp tunnel=no proposal=default ph2-count=1

/system routerboard print
       routerboard: yes
             model: RouterBOARD 750G r3
     serial-number: <serial number>
     firmware-type: mt7621L
  factory-firmware: 3.35
  current-firmware: 3.41
  upgrade-firmware: 3.41

In this link You will find more info about the algorithms used by hardware offload.
https://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Hardware_encryption

pe1chl · October 26, 2017, 1:25pm

Make sure you use WebFig (as shown) or commandline. In WinBox this does not work! (bug)

Begetan · October 30, 2017, 8:22am

pe1chl, you are quite right

When using webfing I see flags ‘HA’ for installed SA.
By the way, is there any opened bug for Winbox thread?