As is well known that only AES-CBC hardware acceleration is supported by specific RouterBoard.
However, I can see the hardware acceleration flag on my CHR host if AES-GCM is used and no hardware acceleration flag if AES-CBC is used.
RouterOS version is 6.39.2
Any idea?
From v6.39 changelog:
*) ipsec - enable aes-ni on i386 and x64 for cbc, ctr and gcm modes;
That confused me why AES-CBC cannot get accelerated on my CHR host.
The IPsec connection is from RB850Gx2 to CHR with sha256/AES-256-CBC. The hardware acceleration works fine on my RB850Gx2.
What Hypervisor are you running CHR on ?
Hyperviser is KVM. Hardware acceleration is enabled if we use AES-GCM so that AES-NI is supported by this.
Im seeing this also.
ESXI V6
CHR RouterOS 6.42.4
If I set the proposal to aes-256 gcm I get the hardware flag and CPU stays low
If I set it to aes-256 cbc or ctr then there is no hardware flag and CPU rises.
Has anyone seen aes-265 ctr or cbc work on a CHR…?
I’d like to get it running as I have a CCR at the other end…
server CPU supports AES-NI?
Xeon D-1541 ( https://ark.intel.com/products/91199/Intel-Xeon-Processor-D-1541-12M-Cache-2_10-GHz )
ESXI extension pass-through is not disabled
Image attached of CPU-Z running on a guest in the same Host showing the AES-NI
Also I’m assuming that if GCM has been hardware accelerated then it must be able to see the AES-NI in the first place.
Same here, KVM with host CPU which has AES-NI flag.
Is there any solution?
on the ipSec wiki hardware acceleration page, there is a note by the x86 (AES-NI) entry that states
*** AES-CBC and AES-CTR only encryption is accelerated, hashing done in software
So im guessing that’s why there is no H by the entry as its not fully hardware accelerated.