Hello,
I’ve just replaced my good old RB2011 with a L009UiGS-2HaxD, however I’m not having any success with hardware assisted IPsec.
The router is connected to 3 different Mikrotik routers (RBD52G-5HacD2HnD, D53G-5HacD2HnD, RBwAPGR-5HacD2HnD) which all can work in accelerated mode, however the new L009UiGS-2HaxD cannot, whatever encryption I choose.
Of course, the result is high CPU load and limited throughput.
Is this a known limitation, or am I doing something wrong?
I’m running the latest dev branch 7.12rc1
Thanks for your help.
L009 switch chip is not (yet ?) on the list of supported chips for HW acceleration.
https://help.mikrotik.com/docs/display/ROS/IPsec
The fact IPSEC test results are missing from the product page, is also an indication.
If you really have to use IPSEC, you’re stuck there.
Is it an option to move to Wireguard ? Much faster and less demanding on CPU.
Thanks for answer.
I believe it is not the switch chip responsible for the encryption, but the CPU (IPQ-5018).
The product page is s really missing the IPsec test results, however the description is clearly stating “L009 features a powerful dual-core ARM CPU. It offers significant improvement when it comes to routing and filtering, complex firewall rules, IPsec hardware encryption, and various advanced RouterOS features”
I was already looking at the Wireguard VPN solution, but I wonder if that is faster than the hardware assisted IPsec.
Let’s hope someone from Mikrotik can chime in and confirm that HW encryption was only forgotten from the code and next version will have it.
My other older and smaller routers have the feature, so I expect to have it in the new L009UiGS-2HaxD.
Make no mistake, Wireguard IS faster then HW assisted IPSEC.
I did the tests between RB5009 and AX Lite some time ago.
Noticeable difference.
I’m sure it will only be a matter of time before IPSEC HW offload gets included properly.
Mikrotik support has no estimate about when the hardware encryption would be available.
Let’s hope it is coming soon.
Meanwhile, I will experiment with Wireguard.
can anyone share the ipsec speed result on 009? I’m especially interested in the comparison with the hex