Hello Mikrotik forum users! First post here, let's see if you can give me a hand.
I have a Mikrotik Routerboard HEX S. The main reason I bought this device is because of HW acceleration in IPSEC. I plan to deploy a LAN to LAN between two residences in the future, and throughput is going to be important.
Nowadays I have the HEX S connected to the ISP, and handling PPPoE. It works great, and I get all the speed that I am paying for (300/300 Mbps) without the CPU even suffering 
.
I have also configured an L2TP/IPSEC server, which I am connecting to from endpoint devices (native MacOS and iOS clients). I use it regularly and works great, but IMO the performance is quite slow. I am getting via Speedtest and fast.com (I know it is not the preferred method...) around 40 - 60 Mbps whenever I am connected to the VPN, regardless of the client used. Yes, I checked the throughput from sites guaranteed to have a much higher available bandwidth.
At that 40-60 Mbps the CPU0 maxes out, so I am guessing that is the bottleneck. ¿How can I know if the encryption is being handled completely on the CPU0 instead of being offloaded to the specific chip? I am using encryption supported according to this table: RouterOS - RouterOS - MikroTik Documentation. It looks like it is not being offloaded.
Let me share some config and status info, and lets hope you can recommend me some things to try and optimize the throughput. Keep in mind that I am not using any complicated firewall rules (fasttrack is enabled, and the VPN connections are being fastracked), and no other services to burden the CPU, so I think I should expect some more throughput. I am getting better VPN throughput from a much older and somewhat cheaper router from other brand!
I would gladly accept to tinker with the config, but as L2TP/IPSEC is native to endpoints on both iOS and macOS, that is the preferred method.
--
[admin@MikroTik] > ppp profile print
3 name="l2tp-ipsec-profile" local-address=192.168.31.2 remote-address=dhcp-vpn-L2TP use-mpls=default use-compression=no use-encryption=required only-one=default change-tcp mss=yes use-upnp=no address-list="" dns-server=8.8.8.8 on-up="" on-down=""
--
[admin@MikroTik] > ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default
0 T * group=default src-address=0.0.0.0/0 dst-address=0.0.0.0/0 protocol=all proposal=IPSEC_optimizar template=yes
1 DA src-address=88.25.89.XX/32 src-port=1701 dst-address=88.15.246.XX/32 dst-port=56989 protocol=udp action=encrypt level=unique ipsec-protocols=esp tunnel=no
proposal=IPSEC_optimizar ph2-count=1
--
[admin@MikroTik] > ip ipsec proposal print
Flags: X - disabled, * - default
0 * name="default" auth-algorithms=sha1 enc-algorithms=aes-128-cbc lifetime=30m pfs-group=none
1 name="IPSEC_optimizar" auth-algorithms=md5 enc-algorithms=aes-128-cbc lifetime=30m pfs-group=none
--
[admin@MikroTik] > ppp active print
Flags: R - radius
NAME SERVICE CALLER-ID ADDRESS UPTIME ENCODING
0 USERXXXX l2tp 88.15.246.XX 192.168.31.8 10m19s cbc(aes) + hmac(md5)
Thanks!
.