Community discussions

MUM Europe 2020
 
Begetan
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 97
Joined: Mon Jul 11, 2011 11:49 am

Hardware offload for IPsec for new HEX router

Wed Oct 25, 2017 8:19 pm

I'v just got new RB HEX gr3 and performed test for IPSec site-to-site VPN configuration. I am using ROS 6.40.4 for test.

It's up to 100-120 Mbit with cpu one core utilization up to 100%. It looks like there is no hardware offload enabed.

I have 300 Mbit with hardware offload enabled and 10% of CPU utilisation on some competiting product, so defenetlz can say that there is no offload.

How to enable, use and check hardware offload for IPSec configuration on this board?
I suppose it should be added checkbox for the routerboard setting to manage it because enabling offload can produce some regression and crash.
 
Paternot
Long time Member
Long time Member
Posts: 609
Joined: Thu Jun 02, 2016 4:01 am
Location: Niterói / Brazil

Re: Hardware offload for IPsec for new HEX router

Wed Oct 25, 2017 8:43 pm

This is my hEX3, with IPsec and hardware offload.
ipsec_hardware.png
ipsec -> Installes SAs

The "H", in the first column, denotes hardware offload. This is automatically enabled, if the right hardware and ciphers are used.
You do not have the required permissions to view the files attached to this post.
 
Begetan
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 97
Joined: Mon Jul 11, 2011 11:49 am

Re: Hardware offload for IPsec for new HEX router

Thu Oct 26, 2017 2:52 pm

There is no flag 'H' in my SA Table.

Could you share you configuratuon for the Proposal and Peers chiphers?

Here is my configuration
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc lifetime=1d

/ip ipsec peer
add address=1.1.1.1/32 enc-algorithm=aes-128 generate-policy=port-strict local-address=2.2.2.2 nat-traversal=no
 
/ip ipsec policy
add dst-address=1.1.1.1/32 level=unique protocol=ipencap src-address=2.2.2.2/32
/system routerboard print 
       routerboard: yes
             model: RouterBOARD 750G r3
     serial-number: 6F3807E974E1
     firmware-type: mt7621L
  factory-firmware: 3.35
  current-firmware: 3.41
  upgrade-firmware: 3.41
 
Paternot
Long time Member
Long time Member
Posts: 609
Joined: Thu Jun 02, 2016 4:01 am
Location: Niterói / Brazil

Re: Hardware offload for IPsec for new HEX router

Thu Oct 26, 2017 3:26 pm

There is no flag 'H' in my SA Table.

Could you share you configuratuon for the Proposal and Peers chiphers?
I'm using L2TP over IPsec. Should make no difference to the hardware offloading. My configuration is:
/ip ipsec proposal print
 0  * name="default" auth-algorithms=sha1 enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc lifetime=30m pfs-group=modp1024
 
 /ip ipsec peer print
  1   R ;;; Meu na mao
       address=::/0 passive=yes auth-method=pre-shared-key secret="<the secret>" generate-policy=port-strict policy-template-group=default exchange-mode=main-l2tp send-initial-contact=yes nat-traversal=no 
       proposal-check=obey hash-algorithm=sha1 enc-algorithm=aes-256,aes-192,aes-128 dh-group=modp2048,modp1024 lifetime=1d dpd-interval=2m dpd-maximum-failures=5
       
       /ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default 
 0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes 

 1  DA  src-address=<server IP> src-port=1701 dst-address=<client 1 IP> dst-port=1701 protocol=udp action=encrypt level=unique ipsec-protocols=esp tunnel=no proposal=default ph2-count=1 

 2  DA  src-address=<server IP> src-port=1701 dst-address=<client 2 IP> dst-port=1701 protocol=udp action=encrypt level=unique ipsec-protocols=esp tunnel=no proposal=default ph2-count=1

/system routerboard print
       routerboard: yes
             model: RouterBOARD 750G r3
     serial-number: <serial number>
     firmware-type: mt7621L
  factory-firmware: 3.35
  current-firmware: 3.41
  upgrade-firmware: 3.41
  
 
In this link You will find more info about the algorithms used by hardware offload.
https://wiki.mikrotik.com/wiki/Manual:I ... encryption
 
pe1chl
Forum Guru
Forum Guru
Posts: 6149
Joined: Mon Jun 08, 2015 12:09 pm

Re: Hardware offload for IPsec for new HEX router  [SOLVED]

Thu Oct 26, 2017 4:25 pm

There is no flag 'H' in my SA Table.
Make sure you use WebFig (as shown) or commandline. In WinBox this does not work! (bug)
 
Begetan
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 97
Joined: Mon Jul 11, 2011 11:49 am

Re: Hardware offload for IPsec for new HEX router

Mon Oct 30, 2017 10:22 am

pe1chl, you are quite right

When using webfing I see flags 'HA' for installed SA.
By the way, is there any opened bug for Winbox thread?

Who is online

Users browsing this forum: uberdome and 38 guests