Community discussions

MikroTik App
 
upower3
Member
Member
Topic Author
Posts: 425
Joined: Thu May 07, 2015 11:46 am

Hardware encription for IPSec, ovpn, sstp?

Thu Jun 29, 2017 5:35 pm

I saw the only section on h/w encryption on the wiki https://wiki.mikrotik.com/wiki/Manual:I ... algorithms but frankly I'd like to understand more.

First of all, when I set up for example eoip or ipip tunnel, I can enable IPSec (which will be done in kind of default way), and it'll be set up as 3des/aes-128, so no h/w acceleration (as, accordingly to the article on the wiki, h/w is only for sha1/sha256). I'd like to set up "default" encryption to fit the h/w acceleration requirements but still no luck with it.

Second thing I'd like to know is if there any h/w encryption support for ovpn and sstp tunnels at all (and pp2p/l2tp, too), despite the chipper I set up? I'd like to have it accelerated as well (why should it be CPU-only if we can offload to hardware?), but yet I see no info.

I do understand this is like child game and IP-hero will always use IPSec, but in some doom configs (when clients are behind NAT etc) I'd like to better have at least any connection than no tunnel at all and this is where lack of h/w support may be kind of problem.
 
andriys
Forum Guru
Forum Guru
Posts: 1526
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: Hardware encription for IPSec, ovpn, sstp?

Thu Jun 29, 2017 10:25 pm

I saw the only section on h/w encryption on the wiki https://wiki.mikrotik.com/wiki/Manual:I ... algorithms but frankly I'd like to understand more.
What you need to understand is that HW encryption support is currently limited to the in-kernel processing, which means only IPsec phase2 can use it. Period.
First of all, when I set up for example eoip or ipip tunnel, I can enable IPSec (which will be done in kind of default way), and it'll be set up as 3des/aes-128, so no h/w acceleration (as, accordingly to the article on the wiki, h/w is only for sha1/sha256). I'd like to set up "default" encryption to fit the h/w acceleration requirements but still no luck with it.
You are mixing things up. First, 3des and aes-128 are encryption algorithms while sha1 and sha256 are hash algorithm. You cannot compare them directly. Second, the default in your case is sha1 for hashing and either 3des or aes-128 for encryption. But all this does not really matter, because we are talking about phase1 here, which does not support HW accelerated encryption (which again does not really matter because phase1 exchanges are not supposed to happen often and are rather low volume).

For phase2 the default proposal is being used, and you can modify it to accept whatever algorithms you like. The defaults do support HW accelerated encryption:
[andrew@MikroTik] > /ip ipsec proposal export verbose 
# jun/29/2017 22:20:27 by RouterOS 6.40rc25
# software id = 
#
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc lifetime=30m name=default pfs-group=modp1024
Second thing I'd like to know is if there any h/w encryption support for ovpn and sstp tunnels at all (and pp2p/l2tp, too)
None of these have HW encryption support, except (obviously) L2TP over IPsec.
 
upower3
Member
Member
Topic Author
Posts: 425
Joined: Thu May 07, 2015 11:46 am

Re: Hardware encription for IPSec, ovpn, sstp?

Thu Jun 29, 2017 10:34 pm

None of these have HW encryption support, except (obviously) L2TP over IPsec.
That what I was afraid of. Thank you for the explanation! This is something that should be on wiki so guys like me knows how it all goes.

Ok, so the results is: no matter what we do the only thing we should care about is if we can afford to use IPSec (and then we can play with phase 2 settings to use h/w at all). If not, then device will use software encryption.

And in the second case we can simple go and get model with more powerful CPU to do encryption at faster rate.

Thank you again for the explanation!

Who is online

Users browsing this forum: Bing [Bot], GoogleOther [Bot], Mahesh and 55 guests