I am trying to set up IPsec between my home router (an RB4011) and a VPN server configured using Algo (https://github.com/trailofbits/algo).
The server is configured to only accept AES-256-GCM with SHA-512 and ECP384.

I have added the following IPsec profile: RouterOS does initiate an SA with the server, however it proposes AES-256-CBC rather than AES-256-GCM, which of course the server then rejects.

How do I make RouterOS select the correct cipher mode (GCM instead of CBC)?

I found this post and I just read other post in MikroTik forum.
I usually use a OpenVPN server in LINUX to set up my VPN because OVPN server in MikroTik doesnot support push-route option.
So I have a OpenVPN server working fine.

From this initial point, now I want to hardening my cipher comunication.
I would like to use AES-GCM, it means: AES-128-GCM or AES-128-GCM or AES-384-GCM.
I realise that more complex cipher supposses mor CPU load.

My goal will be AES-GCM with SHA256.

Any proposal to upgrade cipher list in Router OS?