Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    New Tunable: kern.crypto.iimb.enable_aescbc on fresh install

    Scheduled Pinned Locked Moved Plus 25.07 Develoment Snapshots
    8 Posts 5 Posters 74 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • luckman212L
      luckman212 LAYER 8
      last edited by

      Noticed a new tunable that I haven't seen before

      kern.crypto.iimb.enable_aescbc

      On a stock 6100 25.07 RC install, this is being set to 0

      Any more info on this?

      provelsP T dennypageD 3 Replies Last reply Reply Quote 0
      • provelsP
        provels @luckman212
        last edited by

        @luckman212
        Docs
        Maybe because QAT is faster? It's '1' on mine, but my proc doesn't have QAT.

        Peder

        MAIN - pfSense+ 24.11-RELEASE - Adlink MXE-5401, i7, 16 GB RAM, 64 GB SSD. 500 GB HDD for SyslogNG
        BACKUP - pfSense+ 23.01-RELEASE - Hyper-V Virtual Machine, Gen 1, 2 v-CPUs, 3 GB RAM, 8GB VHDX (Dynamic)

        1 Reply Last reply Reply Quote 0
        • T
          tedquade @luckman212
          last edited by

          @luckman212 On my stock 6100MAX 25.07RC it is set to 1.

          Ted

          luckman212L 1 Reply Last reply Reply Quote 0
          • luckman212L
            luckman212 LAYER 8 @tedquade
            last edited by

            @tedquade Guess when 25.07 officially releases I'll factory erase and check again.

            M 1 Reply Last reply Reply Quote 0
            • M
              mcury Rebel Alliance @luckman212
              last edited by mcury

              SG-4100, 24.11, set to 0 here.
              Weird, this is explicit set in my config file:

              <sysctl>
<item>
<tunable>kern.crypto.iimb.enable_aescbc</tunable>
<value>0</value>
</item>
</sysctl>

              Edit:
              If you enable IPsec-MB, it will set kern.crypto.iimb.enable_aescbc to 0.
              Since I`m running Wireguard only, that is what I want, in my SG-4100.
              Just a FYI only, QAT is enabled but not in use.

              dead on arrival, nowhere to be found.

              1 Reply Last reply Reply Quote 0
              • dennypageD
                dennypage @luckman212
                last edited by

                @luckman212 said in New Tunable: kern.crypto.iimb.enable_aescbc on fresh install:

                Noticed a new tunable that I haven't seen before

                kern.crypto.iimb.enable_aescbc
                On a stock 6100 25.07 RC install, this is being set to 0

                Any more info on this?

                See documentation on Crypto here.

                luckman212L 1 Reply Last reply Reply Quote 0
                • luckman212L
                  luckman212 LAYER 8 @dennypage
                  last edited by luckman212

                  @dennypage Yes thanks I saw that, so I assume that for the 6100 (which does have QAT) that 0 is the preferred value here? Or does it not even really matter much?

                  provelsP 1 Reply Last reply Reply Quote 0
                  • provelsP
                    provels @luckman212
                    last edited by

                    @luckman212 No idea, just spitballing, but is it dependent on the type of VPN you choose? I use OpenVPN, not IPSec.

                    Peder

                    MAIN - pfSense+ 24.11-RELEASE - Adlink MXE-5401, i7, 16 GB RAM, 64 GB SSD. 500 GB HDD for SyslogNG
                    BACKUP - pfSense+ 23.01-RELEASE - Hyper-V Virtual Machine, Gen 1, 2 v-CPUs, 3 GB RAM, 8GB VHDX (Dynamic)

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.