I think the issue is well understood, as can be found in other threads.
When using the aes-cbc mode, the encryption is hardware-accelerated, and the hardware has many cores that
can do this in parallel. By splitting the acceleration over cores, the packets get re-ordered depending on timing
details, and the end result is that the packets arrive in a slightly different order than they were sent.
This actually should not affect throughput at all, since the internet is specified that way (it can re-order packets at will),
but in practice many broken TCP/IP stacks blindly assume that when a packet is missing between two others, it
has been dropped and will have to be re-sent, and immediately send a request to do so.
Thus, when re-ordering is present a lot of bandwitdh is spent on sending duplicate packets.
This is not a defect of the router, but rather of the endpoint systems. However, it can be worked around in this case
by selecting an encryption method that won't be hardware-accelerated.
One could argue that some synchronization should be added to RouterOS to assure that even when hardware
accelerated encryption on the multicore architecture is done, the packets will still leave the router in sequence,
to work around those end-system bugs. Of course that might decrease performance in other situations,
especially in benchmarking. Manufacturers often don't like that, because benchmarking is what is being done
to compare their routers to others.
Bla-bla-bla
A lot of words, but little meaning.
>>When using the aes-cbc mode, the encryption is hardware-accelerated and the hardware has many cores that can do this in parallel
没有区别。可以使用多核并行in any mode, with and without hardware-accereration.
But, one core with hardware acceleration is faster in 10...100 times than one core without hw-accel.
And one ipsec aes-cbc tunnel on one core should be faster than aes-xxx tunnel on any number cores!
But, ipsec on ccr very slow for unknown reason.
Mikrotik team cannot fix this CCR issue for many years!
possible reasons:
1) programmers of the Mikrotik are very bad
2) or selection of TILERA processor for RB was an epic mistake