Can one VPN IPSec connection use multiple CPUs on Mikrotik ?
I thought that Mikrotik used multiple cpus for IPSec, since I was testing that when I set my home MIkrotik several years ago. And I was able to do 600Mbs without saturating any single cpu, with workload spread over multiple cpus.
But just now I configured almost same configuration at another site ( Mikrotik as IPSec VPN router), and I noticed that only ONE cpu was used for IPSec VPN link (regardless of how many individual connections were going thru that VPN connection), and that single cpu core was saturated at 100% with 200Mbs bandwidth. Device in question is identical to one at my home: Mikrotik HAP ac2. It support HW IPSec encryption ( and report it uses it, since i use AES-CBR ), and on mikrotik site they state it should support 424.5Mbs over “single tunnel”. Yet it hit 100% cpu on 200Mbs.
Thinking that I misconfigured something, I retested my home router and lo and behold … it also use just one cpu core and get saturated at similarly low bandwidth ( 60% cpu at 90Mbs, 100% cpu at 200Mbs).
Searching thru forum, I found few posts mentioning how Mikrotik had some reordering issues with some clients and fixed that ‘bug’ by forcing IPSec to use just one cpu. Is that true ? Did Mikrotik make silent downgrade of their routers ? And, most importantly, can it be reverted somehow?
I never had any ‘client’ issue several years ago when IPSec was multithreaded ( I used WIndows and Android as clients), so I would very much like an option to turn off that ‘fix’ and allow mikrotik to use multiple cpus for IPSec again. Is there maybe some way to do that in configuration?
In addition, I do not understand why MIkrotik did not at least made firewall part (filtering packets) and networking part (IPSec encryption/decryption) to be done on different cpus? Currently, when cpu is saturated, about 60% goes for networking (IPSec enc/dec?) and 40% for firewall(i guess since IPSec can not be fasttracked?). But there is no obvious reason why those two should go on same cpu. It is possible that I just had bad luck and that Mikrotik randomly chooses cpu for firewall ( or its always cpu0), and since I understood that it choses cpu for IPSec tunnel based on IPclient<->IPserver hash, it may happen that it selected same cpu. Which in itself is bad design - they could have checked to avoid using cpu used by firewall ( especially when only one IPSec tunnel exists). Also, it is possible that reported max performance of ac2 (424.5Mbs over “single tunnel”) was obtained when they set up test IP addresses in such way that mikrotik choose different cpu for from one for firewall. But that would be misleading, since many real life situations would use same cpu.
TL;DR:
- did Mikrotik silently downgrade their OS in recent years to make IPSec VPN use just single cpu (due to reordering issues)?
- can we somehow tell Mikrtotik to use multiple cpus for IPSec (on our own responsibility regarding reorderings and clients ) ?
- can we at least tell MIkrotik to use different CPU core for networking and firewall parts of single IPSec tunnel?