Community discussions

MikroTik App
 
dot02
Member Candidate
Member Candidate
Topic Author
Posts: 108
Joined: Tue Jun 15, 2021 1:23 am

IPsec Throughput and HW Encryption Engine on RB3011UiAS-RM

Tue Jan 10, 2023 4:00 pm

Hi all,

I was doing some performance tests on a pair of RB3011UiAS-RM running ROS 7.5.

I have a GRE/IPSEC tunnel between both devices over a 1GB WAN link. The /ip ipsec profile looks like this on both devices:
dh-group=ecp521 dpd-interval=5s dpd-maximum-failures=3 enc-algorithm=aes-256 hash-algorithm=sha512 lifetime=1h name=Profile_Test prf-algorithm=sha512 proposal-check=strict

the output of /ip/ipsec/installed-sa/print looks like this on both devices (vice-versa on the other router of course):
SPI STATE SRC-ADDRESS DST-ADDRESS AUTH-ALGORITHM ENC-ALGORITHM ENC-KEY-SIZE
0 SHE 0xB71CA95 mature IP_RouterA IP_RouterB sha256 aes-ctr 288
1 SHE 0x19867DC mature IP_RouterB IP_RouterA sha256 aes-ctr 288

From the "H" in the STATE column, I understand that encryption is offloaded to the hardware crypto engine, which of course is what I want.

However from this page here (https://wiki.mikrotik.com/wiki/Manual:I ... celeration) I read that hardware encryption "supported only 128 bit and 256 bit key sizes" for the RB3011. As we can see from my output, my key size is 288bit long. How come that the output still shows the encryption as done on the hardware crypto engine? I guess that explains the poor throughput (about 30-35Mbps) and 15-20% CPU load? From the official benchmark on the product page I would expect the throughput to be much higher...

Cheers
Denis

Who is online

Users browsing this forum: archemist, SMARTNETTT and 65 guests