Hi!
I have two hEX's in two locations, with site-to-site IPsec VPN configured between them. At site A, there is a 250/250 Mbps internet connection (about 240 Mbps down and 230 Mbps up according to Speedtest) via fiber. At site B, I have a 600/50 Mbps connection (about 620 Mbps down and 52 Mbps up on Speedtest) via the cable TV network (with the modem in bridge mode). Now, I have no real use of 600 Mbps, but had to choose it to get any reasonable speed up. Anyway, speed from site A to site B was about 180 Mbps and in the other direction pretty much 50 Mbps.
Until a few days ago, both routers were running RouterOS 6.49.6. Now this is a bit silly, but I hadn't realized that I needed to change the channel to upgrade to RouterOS 7. I simply thought that version 7 wasn't available to my devices. But then I started Googling around a bit, because I really wanted to try WireGuard (not to replace the IPsec tunnel, but to replace L2TP when connecting from my phone, etc), so when I realized I indeed could upgrade to RouterOS 7, I got a bit excited and didn't really think things through... I upgraded the router at site A, set up WireGuard and was amazed how well WireGuard worked, compared to L2TP, so without any further testing, I upgraded the router at site B as well. No other changes were made (such as altering FW rules, etc). The IPsec traffic is BTW handled through the FW, like any other traffic. Somehow, I wasn't expecting a big performance penalty from upgrading to RouterOS 7. Thing is, when I'm at site B, I regularly remote into a VM at site A (with VNC), and before upgrading, performance was basically just like being at site A. But when I got to site B after the upgrade, I noticed that things weren't at all as smooth as they used to and after testing, the speed from site A to site B had dropped from 180 Mbps to about 115 Mbps. I have tested a lot now, and I've noticed that the CPU cores in the site A router doesn't max out, but that one core at site B pretty much does, so I assume it's more CPU intensive to encrypt traffic, than to decrypt it.. But then again, isn't it supposed to be HW encryption? I do route all internet traffic from site B, through site A, but I don't notice any improvement when not doing so. When I check Tools - Profile, what is using most CPU is "networking". Since the router at site B pretty much maxes out one core, but site B doesn't, I've thought of maybe downgrading the site B router to RouterOS 6, to hopefully get a few Mbits back (since I really only need WireGuard at site A).
I know this is a lot of text, but I have a few questions...
1. Is an IPsec performance drop of this magnitude normal when going from RouterOS 6 to RouterOS 7?
2. Are there any good ways to "cure" or mitigate this?
3. Since the IPsec encryption is HW based, why is it consuming so much CPU?
4. What is the correct (and safe) way to downgrade from RouterOS 7 to RouterOS 6?
5. Thinking a little bit into the future, what is cheapest wired Mikrotik router after the hEX, which has better IPsec performance?
Thank you and all the best!