Community discussions

MikroTik App
 
gabacho4
Member
Member
Topic Author
Posts: 329
Joined: Mon Dec 28, 2020 12:30 pm
Location: Earth

[SOLVED] RB5009 AES-GCM supported for IPSEC?

Tue Nov 15, 2022 10:45 pm

Just noticed that the table for hardware acceleration now shows that the CPU used by the RB5009 (88F7040) supports AES-GCM for IPSEC acceleration. Very happy to see it as AES-GCM is more performant than AES-CBC etc. So I quickly changed my existing setup to use GCM but notice that the installed SA's do not indicate that I am using an accelerated encryption. I checked via the CLI and confirm the same as well. The remote end of my connection is a pfSense box using AES-CBC 128, SHA256, DH2048 for the P1 and AES-GCM128, NO HASH, DH2048 for the P2. Connection is successful and I am passing traffic. Can anyone else confirm? Was hoping to duplicate before submitting a support ticket.

Edit: running ROS 7.6
Last edited by gabacho4 on Wed Nov 16, 2022 8:42 am, edited 1 time in total.
 
gabacho4
Member
Member
Topic Author
Posts: 329
Joined: Mon Dec 28, 2020 12:30 pm
Location: Earth

Re: RB5009 AES-GCM supported for IPSEC?

Wed Nov 16, 2022 8:41 am

Well, for anyone else wondering, here is the answer I received from Mikrotik.

Emīls Z.

Hello,
After double checking, the RB5009 has already AES-GCM hardware acceleration support. Currently it is not indicated with the "H" flag next to the IPsec-SA entries. We will try to resolve the issue in the future.
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1347
Joined: Mon Sep 23, 2019 1:04 pm

Re: [SOLVED] RB5009 AES-GCM supported for IPSEC?

Wed Nov 16, 2022 9:29 am

So that flag is set based on some list and not on some check if that is actually done in hardwade or not. Sad.
 
gabacho4
Member
Member
Topic Author
Posts: 329
Joined: Mon Dec 28, 2020 12:30 pm
Location: Earth

Re: [SOLVED] RB5009 AES-GCM supported for IPSEC?

Wed Nov 16, 2022 9:36 am

It appears that way. I’d assumed it was based on a hardware check as well or something like that. Will admit I know nothing about the subject but it is disappointing to know that one can be using a supported encryption scheme and yet have no way to determine that other than watching the cpu use perhaps.

Who is online

Users browsing this forum: coffee1978, Sailwebwifi and 64 guests