This has been discussed before, but a solution hasn't been found, so let's see if there are any ideas.
CHR (4.45beta50) running in Azure (Hyper-v)
CPU there does have AES-NI extensions (verified with coreinfo)
IPSEC is setup to AES-CBC with SHA256.
No hardware offload
IPSEC is setup to AES-CTR with SHA256
Hardware offload is on
IPSEC is setup to AES-GCM with SHA256
Hardware offload is on.
Is there a reason AES-CBC is specially picky and does not do hardware offloading?
Trying to pair the CHR with a Hex router, which only supports AES-CBC