No BSD Crypto Subsystem support in OpenVPN (pfSense 2.4)
-
I am currently configuring pfSense on my router with a Broadcom 5823 accelerator card. It is being detected, but the option is not available in OpenVPN within pfSense 2.4.
ubsec0 mem 0xfcbf0000-0xfcbfffff irq 19 at device 15.0 on pci16
ubsec0: Broadcom 5823Has this feature been removed in 2.4?
-
basically, yes.
-
thats disappointing, I invested in a crypto cpu for better openvpn performance, can you please give the reason for this?
-
thats disappointing, I invested in a crypto cpu for better openvpn performance, can you please give the reason for this?
Same here. I threw a Broadcom 5823 card into my Checkpoint 9070 to offload some of the crypto operations.
-
https://redmine.pfsense.org/issues/5976
-
right so its not actually removed.
crypto and cryptodev are two separate things and moving it to a module isnt removing it.
thanks for pointing to the link.
I will be testing openvpn sometime this week so I will post here if it offloads on my hardware.
Can also see here the aesni offload is loaded on my pfsense 2.4 box.
root@PFSENSE ~ # kldstat Id Refs Address Size Name 1 8 0xffffffff80200000 2bdc6d8 kernel 2 1 0xffffffff83021000 589b fdescfs.ko 3 1 0xffffffff83027000 79e8 aesni.ko 4 1 0xffffffff8302f000 2bd2 coretemp.koHowever on a FreeBSD server I have crypto module also loaded.
10 2 0xffffffff81e7f000 35110 crypto.ko 11 1 0xffffffff81eb5000 5a30 aesni.koBut its included in kernel on pfsense so not an issue as far as I can tell.
root@PFSENSE ~ # kldload crypto kldload: can't load crypto: module already loaded or in kernelcryptodev slows things down, so dont put it back in the kernel.
-
thats disappointing, I invested in a crypto cpu for better openvpn performance, can you please give the reason for this?
Same here. I threw a Broadcom 5823 card into my Checkpoint 9070 to offload some of the crypto operations.
Sometimes the right answer is to retire obsolete hardware. Most modern CPUs will run rings around a 5823.
-
I will be testing openvpn sometime this week so I will post here if it offloads on my hardware.
I'd be very interested in the results and maybe also some iperf tests :)
-
ok what am I looking for to verify its working?
-
Speed :)
Would be interesting to know how GCM compares to CBC in terms of performance. To test this I would connect a decent Client to my WAN switch and run iperf3 tests (with and without -R) against a server in LAN. And monitor CPU usage while testing. -
I do see this line on startup.
"Initializing OpenSSL support for engine 'rdrand'"
-
thats disappointing, I invested in a crypto cpu for better openvpn performance, can you please give the reason for this?
Same here. I threw a Broadcom 5823 card into my Checkpoint 9070 to offload some of the crypto operations.
Sometimes the right answer is to retire obsolete hardware. Most modern CPUs will run rings around a 5823.
Depends on the wife approval factor. I don't think throwing $300-500 on a new router, not to mention a pair of dual port 10GigE NICs and dual 4 port GigE NICs, would be approved.
We currently are utilizing a Checkpoint 9070 box running pfSense and it has 4x10GigE ports and 10x1GigE ports.
-
Depends on the wife approval factor. I don't think throwing $300-500 on a new router, not to mention a pair of dual port 10GigE NICs and dual 4 port GigE NICs, would be approved.
We currently are utilizing a Checkpoint 9070 box running pfSense and it has 4x10GigE ports and 10x1GigE ports.
Well 500$ seem to be nothing compared to the monthy rates for a 10GB Internet line :)
Doesn't that system have at least 2 Xeons? Does it really benefit from offloading crypto for OpenVPN?
