Can’t be 100% certain but I do believe it does because the CPU usage which I see is extremely low and this is when i’m using the GRE+IPSEC VPN links which uses AES-256-CBC.
How is the performance? Mind if I ask what hardware you are using? I’m looking to do something similar. A hub and spoke set up using GRE+IPSEC. I’m hoping to find something for Spokes to get up ~300Mbps. The best ive tested so far was some HP desktop I found lying around, had an interl i3 processor. Had that going at about 220Mbps.
Sadly I can’t test anything higher then a 100Mbit atm as the first servers limited on 100Mbits link right now till the upgrade goes though but the other one is on 1000Mbits. Running AES-256-CBC on these processors does around 3-5% on 100Mbits GRE+IPSEC.
For your info if your looking for a cheap routerboard which can do around 320Mbits AES-256-CBC or 470Mbits AES-128-CBC then look at the RB750_Gr3 (https://routerboard.com/RB750Gr3). I highly recommend them. Currently have several on home vDSL lines connected to the DC’s. Some DC’s running hardware routerboards but these two DC’s don’t hence running CHR.
HTH
p.s. I see if I get chance later and connect the gig CHR to 10Gig CCR in another DC later, then you should have more of an idea of what its max is. No promises, need to speak to the boss.
I actually had an 1100AHx2 connected with a 300mbps cable connection to a CHR on esxi/vmware using a Xeon ES-2650 @2.6Ghz. GRE+IPSEC AES-128-CBC. Could only manage around 100Mbps with connection tracking turned off and no QoS features.. Does that seem odd to you? I thought the 1100 could handle more. I’m wondering if something is poorly optimized.
Don’t know about that RB myself but checking the specs sheet, it doesn’t directly say if it has hardware enabled encryption so likely it doesn’t. Remember even if the CPU has it, Mikrotik still needs the firmware to support it too. Look at the RB3011 as an example, the CPU technically has hardware encryption but due to the software is lacking support to use it, it doesn’t work hence the VPN throughput is quite poor (around 90Mbits from what I understand).
So assuming the 1100AHx2 is using software mode which is very likely as they don’t mention otherwise, probably what your seeing is about normal. Remember that 1100AHx2 you mentioned is only a duel core as well so kinda to be expected with the throughput you mention imo. However I am sure someone who has the exact same model could tell you exactly what they can get out of it max but I doubt it be much more then what you said.
If you only need around 300Mbits and 2-3 watts of power with a cost of around £40-55, you cant go wrong with an RB750Gr3.
Section 3.4 suggests they have hardware acceleration. Hopefully its correct I tried the optimizations it list. didn’t seem to help much. I might try some different configurations with the cpu settings though.
I have a sneaky feeling your not going to get much more then you already have and the bottle neck is likely to be the 1100AHx2 and not the CHR. I will see if I can get some further testing done over the next few days so you can happily rule out CHR being the limiting factor, depends on boss really and will report back if its cleared.
One thing you might want to try is, adding the NAT rules in your raw table instead which will bypass connection tracking which may speed things up a bit too. This is something I do for VPN connections here (site to site) as they don’t directly need any connection tracking etc.
/ip firewall raw add chain=prerouting src-address=172.30.2.0/24 dst-address=172.30.255.0/24 action=notrack comment="Site A -> Site B"
/ip firewall raw add chain=prerouting src-address=172.30.255.0/24 dst-address=172.30.2.0/24 action=notrack comment="Site B -> Site A"
I tried the optimizations it list. didn’t seem to help much. I might try some different configurations with the cpu settings though.