Activating IPsec-MB Crypto
-
The link below states OpenVPN benefits from IPSec-MB and AES-NI is an alterntive
https://docs.netgate.com/pfsense/en/latest/hardware/cryptographic-accelerators.html#openvpnMy Hardware shows it supports IPSec-MB however it is inactive.
In System => Advanced => Misc I do not have an option to activate IPSec-MB
I see the Option for QAT here even through the hardware shows it is not available.
What is my best option to select here?
-
@McMurphy IIMB is the checkbox in your screenshot. :)
There is a write up in this section:
https://docs.netgate.com/pfsense/en/latest/config/advanced-misc.html#cryptographic-thermal-hardware
“Best” depends on a few things for instance algorithm. -
@SteveITS said in Activating IPsec-MB Crypto:
IIMB is the checkbox in your screenshot. :)
oh, that's a bit embarrassing :)
Few more qns pls:
- Now I have IPSec-MB enabled what should be selected for crypto hardware?
- Should QAT be listed here if it is not an option for my hardware?
- When I enabled IPSec-MB do I need to restart pfSense for this to take effect?
I am trying to improves the speeds to a site-site OVPN link. IPSec runs at approx 95Mbps whereas the best I can get form OVPN+DCO is 30Mbps
-
@McMurphy On https://docs.netgate.com/pfsense/en/latest/hardware/cryptographic-accelerators.html#supported-devices it says
"QAT is ideal for use with IPsec and OpenVPN DCO. It is currently the fastest acceleration option for the algorithms it supports."
Is this a Netgate model or your own hardware?
I want to say if you enable QAT it might not say No anymore...I don't have one I can easily toggle though. I think it wouldn't be in the dropdown if it wasn't supported on the hardware.
-
My own hardware.
I did select QAT but it still shows as "No" on the dashboard so I guess it is not available.
-
@SteveITS said in Activating IPsec-MB Crypto:
@McMurphy IIMB is the checkbox in your screenshot. :)
I don't have this in my Misc section:
I'm running pfsense CE 2.6.0-RELEASE (amd64) on a Protectli FW4C:
am I lacking hardware or a software update to enable this?
I run S2S IPsec tunnels among 3 of these units, each connected by 1000/1000 fiber, so any improvement in throughput would be welcome!
Thanks!
-
@TheWaterbug It's a Plus feature.
https://docs.netgate.com/pfsense/en/latest/general/plus.html#intel-ipsec-multi-buffer-iimb-supportAlso 2.6 is super old. When you get to 2.7.0 you'll probably need
https://docs.netgate.com/pfsense/en/latest/releases/2-7-1.html#troubleshooting -
Ugh. I'm not really thrilled about having to pay for Plus or TAC.
And I know I need to get off of 2.60, but there were lots of warnings about exactly what you linked, so I held off.
And now we're at 2.8x, aren't we?
Maybe I should buy another Protectli unit for testing.
-
warnings about exactly what you linked
FWIW that command’s any easy solution. After that there are plenty of System Patches updates, as normal. Well, we’re but 2.8 has them all.
-
@McMurphy Do you have an external BSD compatible cryptodev accelerator card or device outside of your AES-NI CPU? (These devices are extremely hard to find) If not why are you telling pfSense that you do? If you don't you should only use AES-NI CPU-based Acceleration only.