Hello,
Having a Cat6500-E with SUP720/MSFC3 and a 7600-SSC-400 with two SPA-IPSEC-2G crypto cards.
The old IOS (12.2(18)SXF8, old but stable) was working for years with crypto transform set of AH and ESP
crypto ipsec transform-set myts ah-sha-hmac esp-aes 256
perfectly well with HW acceleration (tested thouroughly, over several years).
(Note that 15.2 does not support the SSC and SPA at all.)
The Safe Harbor IOS12.2(33)SXI12 claims (and refuses to accept) the combination of AH with ESP is not supported by the Hardware:
router(config)#crypto ipsec transform-set myts ah-sha-hmac esp-aes 256
Any combination of ESP and AH transform-set is not
supported by current hardware crypto engine.
The transform-set configuration will not be saved.
Please configure a valid transform-set.
which is false since the same hardware was doing just that for years.
This is a bit of a problem since AH with HMAC is the only way to detect tampering of the IPSEC packets transport headers!
Using ESP with HMAC (transform set ... esp-aes 256 esp-sha-hmac) is not a sufficient alternative because the HMAC only protects the payload (content of the EPS packet) - not the transport packet.
The crypto engine hardware does support AH+ESP, as proven with the old IOS and >1 GBps IPSEC throughput for real-life traffic.