NetGate 7100 Crypto Acceleration
-
Hello,
we recently purchased a NetGate 7100U and i would like to know what the best "recommended practice" in terms of Crypto acceleration with OpenVPN for this appliance actually is.
As far as i know the 7100U supports QAT as well as AES-NI.
Is one generally preferable over the other or does it depend on other parameters, like the amount of users connecting via VPN,
crypto algorithm etc.?At the moment the crypto hardware setting in System / Advanced / Miscellaneous is set to QAT but i cant exactly verify the benefits or if it works at all. I didn`t specify any hardware acceleration in my OpenVPN server setup. The data encryption algorithm is set to AES-256-CBC.
-
OpenVPN cannnot currently use QAT so you won't see any improvement by selecting that.
However you won't see any degradation by setting that instead of AES-NI either. That's because OpenSSL, and hence OpenVPN, will use the AES-NI instructions the CPU supports directly without the need for an additional driver.
You will see a significant throughput increase by using AES-GCM though. I would definitely recommend switching to that if you can.
Setting the hardware crypto to QAT will give you the best IPSec throughput and it can do so for AES-GCM and CBC. Though GCM is still faster. I would leave it set to that since it won't effect OpenVPN throughput.
Steve
-
Thank you very much for your reply stepehenw10. Very much appreciated as usual. :)
Hopefully it`s ok, if i ask a follow up question about this.I wanted to change my VPN configuration from OVPN to IPSec anyways and this is just more of a reason to do that.
So ive set up an ISec IKEv2 EAP-TLS tunnel, according to your configuration guidelines.After adjusting the IPSec profile under my windows clients over the powershell the connection was successfully established, i just noticed something in the IPSec logfiles that made me curious.
In my IPsec.log i can see the following error message several times:
received cert request for unknown ca with keyid xxxxxxxxxx
received cert request for unknown ca with keyid yyyyyyyyyyEventually the correct cert request for my actual CA is selected but i end up with 33 cert requests for an unknown ca.
Maybe you can point me in the right direction. I would assume a misconfiguration with my certificates maybe?Thank you.
-
Ok, that's the same mobile client sending those?
Sounds like the Windows client requesting certs for every CA it has for some reason.
-
Thanks stephenw10 and yes, its from the same (mobile) client.
Sounds like the Windows client requesting certs for every CA it has for some reason.
That makes sense. On the other hand i explicitly have selected the CA certificate in the IPSec profile setup @ Win10.
Would just like to know if i can do anything to avoid that. Seems a little bit much overhead for going through every CA that is located in the Trusted Root CAs, which are indeed exactly 33.
