As is well known that only AES-CBC hardware acceleration is supported by specific RouterBoard.
However, I can see the hardware acceleration flag on my CHR host if AES-GCM is used and no hardware acceleration flag if AES-CBC is used.
RouterOS version is 6.39.2
Any idea?

From v6.39 changelog:

*) ipsec - enable aes-ni on i386 and x64 for cbc, ctr and gcm modes;

From v6.39 changelog:

*) ipsec - enable aes-ni on i386 and x64 for cbc, ctr and gcm modes;

That confused me why AES-CBC cannot get accelerated on my CHR host.

The IPsec connection is from RB850Gx2 to CHR with sha256/AES-256-CBC. The hardware acceleration works fine on my RB850Gx2.

What Hypervisor are you running CHR on ?

What Hypervisor are you running CHR on ?

Hyperviser is KVM. Hardware acceleration is enabled if we use AES-GCM so that AES-NI is supported by this.

Im seeing this also.

ESXI V6
CHR RouterOS 6.42.4

If I set the proposal to aes-256 gcm I get the hardware flag and CPU stays low

If I set it to aes-256 cbc or ctr then there is no hardware flag and CPU rises.

Has anyone seen aes-265 ctr or cbc work on a CHR...?

I'd like to get it running as I have a CCR at the other end...

server CPU supports AES-NI?

server CPU supports AES-NI?

Xeon D-1541 ( https://ark.intel.com/products/91199/In ... e-2_10-GHz )

ESXI extension pass-through is not disabled

Image attached of CPU-Z running on a guest in the same Host showing the AES-NI

Also I'm assuming that if GCM has been hardware accelerated then it must be able to see the AES-NI in the first place.

Same here, KVM with host CPU which has AES-NI flag.
Is there any solution?

on the ipSec wiki hardware acceleration page, there is a note by the x86 (AES-NI) entry that states

*** AES-CBC and AES-CTR only encryption is accelerated, hashing done in software

So im guessing that's why there is no H by the entry as its not fully hardware accelerated.