Just noticed that the table for hardware acceleration now shows that the CPU used by the RB5009 (88F7040) supports AES-GCM for IPSEC acceleration. Very happy to see it as AES-GCM is more performant than AES-CBC etc. So I quickly changed my existing setup to use GCM but notice that the installed SA’s do not indicate that I am using an accelerated encryption. I checked via the CLI and confirm the same as well. The remote end of my connection is a pfSense box using AES-CBC 128, SHA256, DH2048 for the P1 and AES-GCM128, NO HASH, DH2048 for the P2. Connection is successful and I am passing traffic. Can anyone else confirm? Was hoping to duplicate before submitting a support ticket.
Well, for anyone else wondering, here is the answer I received from Mikrotik.
Emīls Z.
Hello,
After double checking, the RB5009 has already AES-GCM hardware acceleration support. Currently it is not indicated with the “H” flag next to the IPsec-SA entries. We will try to resolve the issue in the future.
It appears that way. I’d assumed it was based on a hardware check as well or something like that. Will admit I know nothing about the subject but it is disappointing to know that one can be using a supported encryption scheme and yet have no way to determine that other than watching the cpu use perhaps.