Page 1 of 1

IPsec Hardware acceleration on CHR?

Posted: Mon Jun 26, 2017 9:03 am
by eternal0
As is well known that only AES-CBC hardware acceleration is supported by specific RouterBoard.
However, I can see the hardware acceleration flag on my CHR host if AES-GCM is used and no hardware acceleration flag if AES-CBC is used.
RouterOS version is 6.39.2
Any idea?

Re: IPsec Hardware acceleration on CHR?

Posted: Mon Jun 26, 2017 12:26 pm
by mrz
From v6.39 changelog:

*) ipsec - enable aes-ni on i386 and x64 for cbc, ctr and gcm modes;

Re: IPsec Hardware acceleration on CHR?

Posted: Tue Jun 27, 2017 5:14 am
by eternal0
From v6.39 changelog:

*) ipsec - enable aes-ni on i386 and x64 for cbc, ctr and gcm modes;
That confused me why AES-CBC cannot get accelerated on my CHR host.

The IPsec connection is from RB850Gx2 to CHR with sha256/AES-256-CBC. The hardware acceleration works fine on my RB850Gx2.

Re: IPsec Hardware acceleration on CHR?

Posted: Tue Jun 27, 2017 6:15 am
by nz_monkey
What Hypervisor are you running CHR on ?

Re: IPsec Hardware acceleration on CHR?

Posted: Tue Jun 27, 2017 10:59 am
by eternal0
What Hypervisor are you running CHR on ?
Hyperviser is KVM. Hardware acceleration is enabled if we use AES-GCM so that AES-NI is supported by this.

Re: IPsec Hardware acceleration on CHR?

Posted: Fri Jun 22, 2018 12:28 am
by ebreyit
Im seeing this also.

ESXI V6
CHR RouterOS 6.42.4

If I set the proposal to aes-256 gcm I get the hardware flag and CPU stays low

If I set it to aes-256 cbc or ctr then there is no hardware flag and CPU rises.

Has anyone seen aes-265 ctr or cbc work on a CHR...?

I'd like to get it running as I have a CCR at the other end...

Re: IPsec Hardware acceleration on CHR?

Posted: Fri Jun 22, 2018 12:51 am
by chechito
server CPU supports AES-NI?

Re: IPsec Hardware acceleration on CHR?

Posted: Fri Jun 22, 2018 11:35 am
by ebreyit
server CPU supports AES-NI?
Xeon D-1541 ( https://ark.intel.com/products/91199/In ... e-2_10-GHz )

ESXI extension pass-through is not disabled

Image attached of CPU-Z running on a guest in the same Host showing the AES-NI

Also I'm assuming that if GCM has been hardware accelerated then it must be able to see the AES-NI in the first place.

Re: IPsec Hardware acceleration on CHR?

Posted: Tue Jun 25, 2019 7:40 am
by oreggin
Same here, KVM with host CPU which has AES-NI flag.
Is there any solution?

Re: IPsec Hardware acceleration on CHR?

Posted: Wed Jul 03, 2019 2:12 am
by jonmansey
on the ipSec wiki hardware acceleration page, there is a note by the x86 (AES-NI) entry that states

*** AES-CBC and AES-CTR only encryption is accelerated, hashing done in software

So im guessing that's why there is no H by the entry as its not fully hardware accelerated.