RB3011 IPSEC Hardware Encryption?

w0lt · January 8, 2017, 5:37pm

Does the RB3011 have hardware encryption ability and is it enabled?

Thanks,

-tp

kiler129 · January 8, 2017, 11:47pm

It has this in CPU but it’s not enabled AFAIK - http://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Hardware_encryption

dhoulbrooke · January 9, 2017, 5:39am

Not yet unfortunately:

http://forum.mikrotik.com/t/high-speed-vpn-100mbps/75714/1
http://forum.mikrotik.com/t/cryptographic-accelerator-for-ipsec/98536/1

josu · January 9, 2017, 10:28am

Is there any plan to implement it?

It will great to have it in the next release.

Regards.

mrz · January 9, 2017, 10:29am

As it was mentioned in other topics, there will be no HW acceleration in ROS v6.

Ascendo · January 10, 2017, 6:19pm

How much IPSEC throughput can it do currently (software only)?

efaden · January 15, 2017, 8:10pm

Curious myself…

infused · January 18, 2017, 6:45am

bugger all.

chriscolden · June 30, 2018, 8:16am

I’m seeing about 16Mb over the internet at about 7 or 8% cpu over all. The internet the other end is limited at 20Mb upload so I cannot physically receive any faster anyway.

petrz · September 18, 2018, 9:08am

What’s new in 6.43.1 (2018-Sep-17 06:53):

Changes in this release:
*) rb3011 - added IPsec hardware acceleration support;

zorrua · September 18, 2018, 7:48pm

Great!

Is there any example about how to configure a IPSec tunnel between 2 RB3011 devices?

Kind regards.

honzam · September 18, 2018, 8:06pm

Really?

sindy · September 19, 2018, 1:53pm

There is nothing specific for the case of two RB3011, simply use the setup for any two Mikrotik devices mentioned in the manual. If hardware support for the authentication and encryption algorithms chosen is available on the device, it is activated automatically - it does not need to be switched on, and it cannot be switched off. Which algorithms enjoy hardware support can be found in this table in the same manual.

gcxo · September 24, 2018, 10:53am

I’ve install 6.43.1 on a 3011 but the IPSEC HW accelartion does not seem to work, it works fine on 750r3 an 1100ahx2.

Installed SAs of the 3011

Installed SAs of the 1100

One of the conexion is between the 1100 and 3100. On the 1100 side has EH, but on the 3011 has only E.

Any ideas?

Thanks

bennyh · September 24, 2018, 11:12am

For first sight might the problem is:

supported only 128 bit and 256 bit key sizes

On your captured picture is see 192 bit size encription keys.

sindy · September 24, 2018, 11:14am

In the table in the manual, there is a * reference in the row for RB3011, which says

supported only 128 bit and 256 bit key sizes

In your installed-sa list, I can see “192” in “Encryption Key Size” column. So change the aes key size to either 128 or 256 bits and try again.

gcxo · September 25, 2018, 8:58am

Thanks!! Setting the default ipsec proposal only to allow 128 or 256 worked.

emils · October 3, 2018, 8:08am

What’s new in 6.44beta14 (2018-Oct-01 12:01):

*) rb3011 - implemented multiple engine IPsec hardware acceleration support;

IPsec throughput table for RB3011UiAS-RM on our products page is updated too.

https://mikrotik.com/product/RB3011UiAS-RM#fndtn-testresults

If you experience any stability related issues when running hardware offloaded IPsec on RB3011UiAS-RM, please let us know at support@mikrotik.com