IPsec-MB use case
-
Im running a SG-6100.
Im confused if this should be enabled at all considering this one-liner in the documentation
Generally speaking, this acceleration is faster than software alone or AES-NI, but slower than QAT.Because i care about throughput mainly when it comes to my VPN should i enable this? QAT is running on my system by default.
-
If you're using AES-GCM stick with QAT on the 6100.
Steve
-
@stephenw10 I have both QAT and IPsec-MB enabled on my 6100. Does the system choose the best one based on other settings or would it be better to just disable IPsec-MB. My VPN is using AES-GCM.
Netgate 6100 MAX
-
I would disable IIMB to be sure it's using QAT which will be faster for AES-GCM.
I'm unsure exactly what would take priority there. I'll try to find out....
-
@cwagz from this page: IPsec-MB
If IPsec-MB and QAT are both enabled, IPsec-MB will take over handling of AES-GCM acceleration. QAT accelerates AES-GCM faster than IPsec-MB, but IPsec-MB can accelerate ChaCha20-Poly1305 which is not supported by QAT. Depending on the required performance of each algorithm it may be better to only enable QAT, or to enable both, but it depends on the environment and workload.
-
Yes, that is the case currently.
However there is a sysctl you can disable to prevent IIMB registering for AES-CBC (kern.crypto.iimb.enable_aescbc). It would be nice to have other options there.
-
@stephenw10 said in IPsec-MB use case:
disable to prevent IIMB registering for AES-CBC (kern.crypto.iimb.enable_aescbc)
That would be nice indeed. Do you know if this is possible with AES-GCM too ?
-
Currently there is only a user ctl for AES-CBC.
-
@stephenw10 said in IPsec-MB use case:
Currently there is only a user ctl for AES-CBC.
Thanks stephenw10.
Hope they add this option in the future.
