RB5009 IPSec Hardware Acceleration

Johnnney · July 27, 2023, 9:59pm

Good day,

I’m currently at a loss because Mikrotik’s page for the RB5009 shows IPSec performance counters in the 1000s of Mbps using the specified protocols. However, in their documentation of hardware acceleration supported devices for IPSec, it’s still not listed there, and I’m unsure how up-to-date their documentation is.

I’m just wondering if anyone has been able to achieve these speeds or anything close to them. I’ve been running an IPSec tunnel as specified by them using AES-256-CBC & SHA256, facing a Fortigate firewall, and the most I’ve been able to achieve is nothing more than 280 Mbps when using Iperf3. (According to Fortigate’s documentation, AES256 on their side is the same as the “-CBC” specification in Mikrotik’s terms.)

Has anyone had any luck getting actual close to gigabit speeds?

siuswat · July 28, 2023, 7:31am

It is listed here. RB5009 uses 88F7040 CPU

https://help.mikrotik.com/docs/display/ROS/IPsec#IPsec-Hardwareacceleration

When aes-128 gcm is used in phase 2 encryption, I get around 650 Mbits/sec (Nearly 80MB/s) in iperf3 single connection test. Check the loading of each CPU core when you are doing the test. Moreover, You may try set your CPU clock to 1400Mhz to see if you get higher throughput.

/system/routerboard/settings/set cpu-frequency=1400MHz

holvoetn · July 28, 2023, 7:53am

Small piece of info :
latest versions of ROS7 will display a warning message if you change CPU frequency to anything else then auto.