How to speed up IPSEC, hardware encryption devices????
-
Hi! Happy new year and merry christmas!
Just set up site-to-site tunnel, all good and stable, but speed through tunnel is ~7-8 Mbps out of ~40 Mbps directly.
My routers are like this:#1 side
Copyright (c) 1992-2006 The FreeBSD Project. Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD 6.1-RELEASE-p10 #0: Sun Oct 29 01:06:20 UTC 2006 sullrich@builder.livebsd.com:/usr/obj.pfSense/usr/src/sys/pfSense.6 Timecounter "i8254" frequency 1193182 Hz quality 0 CPU: Intel(R) Celeron(TM) CPU 1100MHz (1102.51-MHz 686-class CPU) Origin = "GenuineIntel" Id = 0x6b1 Stepping = 1 Features=0x383fbff <fpu,vme,de,pse,tsc,msr,pae,mce,cx8,apic,sep,mtrr,pge,mca,cmov,pat,pse36,mmx,fxsr,sse>real memory = 528416768 (503 MB) avail memory = 507498496 (483 MB) ACPI APIC Table: <via601 awrdacpi=""> ioapic0 <version 1.1=""> irqs 0-23 on motherboard wlan: mac acl policy registered kbd1 at kbdmux0 ath_hal: 0.9.16.16 (AR5210, AR5211, AR5212, RF5111, RF5112, RF2413, RF5413) acpi0: <via601 msi="" acpi=""> on motherboard acpi0: Power Button (fixed) Timecounter "ACPI-safe" frequency 3579545 Hz quality 1000 acpi_timer0: <24-bit timer at 3.579545MHz> port 0x4008-0x400b on acpi0 cpu0: <acpi cpu=""> on acpi0 acpi_button0: <power button=""> on acpi0 acpi_button1: <sleep button=""> on acpi0 pcib0: <acpi host-pci="" bridge=""> port 0xcf8-0xcff,0x4000-0x407f,0x4080-0x40ff,0x5000-0x500f,0x6000-0x607f on acpi0 pci0: <acpi pci="" bus=""> on pcib0 agp0: <via 8601="" (apollo="" promedia="" ple133ta)="" host="" to="" pci="" bridge=""> mem 0xd0000000-0xd3ffffff at device 0.0 on pci0 pcib1: <pci-pci bridge=""> at device 1.0 on pci0 pci1: <pci bus=""> on pcib1 pci1: <display, vga=""> at device 0.0 (no driver attached) isab0: <pci-isa bridge=""> at device 7.0 on pci0 isa0: <isa bus=""> on isab0 atapci0: <via 82c686b="" udma100="" controller=""> port 0x1f0-0x1f7,0x3f6,0x170-0x177,0x376,0xc000-0xc00f at device 7.1 on pci0 ata0: <ata 0="" channel=""> on atapci0 ata1: <ata 1="" channel=""> on atapci0 uhci0: <via 83c572="" usb="" controller=""> port 0xc400-0xc41f irq 5 at device 7.2 on pci0 uhci0: [GIANT-LOCKED] usb0: <via 83c572="" usb="" controller=""> on uhci0 usb0: USB revision 1.0 uhub0: VIA UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered uhci1: <via 83c572="" usb="" controller=""> port 0xc800-0xc81f irq 5 at device 7.3 on pci0 uhci1: [GIANT-LOCKED] usb1: <via 83c572="" usb="" controller=""> on uhci1 usb1: USB revision 1.0 uhub1: VIA UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub1: 2 ports with 2 removable, self powered pci0: <old> at device 7.4 (no driver attached) pci0: <multimedia, audio=""> at device 7.5 (no driver attached) dc0: <davicom 10="" dm9102a="" 100basetx=""> port 0xdc00-0xdcff mem 0xd8000000-0xd80000ff irq 16 at device 8.0 on pci0 miibus0: <mii bus=""> on dc0 ukphy0: <generic ieee="" 802.3u="" media="" interface=""> on miibus0 ukphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto dc0: Ethernet address: 00:08:a1:72:5b:30 rl0: <realtek 10="" 8139="" 100basetx=""> port 0xe000-0xe0ff mem 0xd8001000-0xd80010ff irq 17 at device 9.0 on pci0 miibus1: <mii bus=""> on rl0 rlphy0: <realtek internal="" media="" interface=""> on miibus1 rlphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto rl0: Ethernet address: 00:80:48:4b:f7:64 rl1: <realtek 10="" 8139="" 100basetx=""> port 0xe400-0xe4ff mem 0xd8002000-0xd80020ff irq 18 at device 10.0 on pci0 miibus2: <mii bus=""> on rl1 rlphy1: <realtek internal="" media="" interface=""> on miibus2 rlphy1: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto rl1: Ethernet address: 00:80:48:4c:29:5d speaker0: <pc speaker=""> port 0x61 on acpi0 fdc0: <floppy drive="" controller=""> port 0x3f0-0x3f5,0x3f7 irq 6 drq 2 on acpi0 fdc0: [FAST] fd0: <1440-KB 3.5" drive> on fdc0 drive 0 sio0: <16550A-compatible COM port> port 0x3f8-0x3ff irq 4 flags 0x10 on acpi0 sio0: type 16550A sio1: <16550A-compatible COM port> port 0x2f8-0x2ff irq 3 on acpi0 sio1: type 16550A ppc0: <standard parallel="" printer="" port=""> port 0x378-0x37f irq 7 on acpi0 ppc0: Generic chipset (EPP/NIBBLE) in COMPATIBLE mode ppbus0: <parallel port="" bus=""> on ppc0 lpt0: <printer> on ppbus0 lpt0: Interrupt-driven port ppi0: <parallel i="" o=""> on ppbus0 pmtimer0 on isa0 orm0: <isa option="" roms=""> at iomem 0xc0000-0xcbfff,0xcc000-0xcffff on isa0 atkbdc0: <keyboard controller="" (i8042)=""> at port 0x60,0x64 on isa0 atkbd0: <at keyboard=""> irq 1 on atkbdc0 kbd0 at atkbd0 atkbd0: [GIANT-LOCKED] sc0: <system console=""> at flags 0x100 on isa0 sc0: VGA <16 virtual consoles, flags=0x300> vga0: <generic isa="" vga=""> at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0 Timecounter "TSC" frequency 1102506857 Hz quality 800 Timecounters tick every 1.000 msec Fast IPsec: Initialized Security Association Processing. ad0: 76319MB <wdc wd800jb-00jjc0="" 05.01c05=""> at ata0-master UDMA100 acd0: CDROM <gcr-8523b 1.01=""> at ata1-slave PIO4</gcr-8523b></wdc></generic></system></at></keyboard></isa></parallel></printer></parallel></standard></floppy></pc></realtek></mii></realtek></realtek></mii></realtek></generic></mii></davicom></multimedia,></old></via></via></via></via></ata></ata></via></isa></pci-isa></display,></pci></pci-pci></via></acpi></acpi></sleep></power></acpi></via601></version></via601></fpu,vme,de,pse,tsc,msr,pae,mce,cx8,apic,sep,mtrr,pge,mca,cmov,pat,pse36,mmx,fxsr,sse>#2 side
Copyright (c) 1992-2006 The FreeBSD Project. Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD 6.1-RELEASE-p10 #0: Sun Oct 29 01:06:20 UTC 2006 sullrich@builder.livebsd.com:/usr/obj.pfSense/usr/src/sys/pfSense.6 Timecounter "i8254" frequency 1193182 Hz quality 0 CPU: Intel(R) Pentium(R) 4 CPU 2.40GHz (2396.88-MHz 686-class CPU) Origin = "GenuineIntel" Id = 0xf33 Stepping = 3 Features=0xbfebfbff <fpu,vme,de,pse,tsc,msr,pae,mce,cx8,apic,sep,mtrr,pge,mca,cmov,pat,pse36,clflush,dts,acpi,mmx,fxsr,sse,sse2,ss,htt,tm,pbe>Features2=0x41d <sse3,rsvd2,mon,ds_cpl,cntx-id>real memory = 527695872 (503 MB) avail memory = 506793984 (483 MB) ACPI APIC Table: <a m="" i ="" oemapic=""> ioapic0: Changing APIC ID to 1 ioapic0 <version 2.0="">irqs 0-23 on motherboard wlan: mac acl policy registered kbd1 at kbdmux0 ath_hal: 0.9.16.16 (AR5210, AR5211, AR5212, RF5111, RF5112, RF2413, RF5413) acpi0:</version> </a><a m="" i="" oemrsdt=""> on motherboard acpi0: Power Button (fixed) Timecounter "ACPI-fast" frequency 3579545 Hz quality 1000 acpi_timer0: <24-bit timer at 3.579545MHz> port 0x808-0x80b on acpi0 cpu0: <acpi cpu=""> on acpi0 acpi_throttle0: <acpi cpu="" throttling=""> on cpu0 pcib0: <acpi host-pci="" bridge=""> port 0xcf8-0xcff on acpi0 pci0: <acpi pci="" bus=""> on pcib0 agp0: <intel 82865g="" (865g="" gmch)="" svga="" controller=""> port 0xec00-0xec07 mem 0xf0000000-0xf7ffffff,0xff280000-0xff2fffff irq 16 at device 2.0 on pci0 agp0: detected 8060k stolen memory agp0: aperture size is 128M uhci0: <intel 82801eb="" (ich5)="" usb="" controller="" usb-a=""> port 0xdc00-0xdc1f irq 16 at device 29.0 on pci0 uhci0: [GIANT-LOCKED] usb0: <intel 82801eb="" (ich5)="" usb="" controller="" usb-a=""> on uhci0 usb0: USB revision 1.0 uhub0: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered uhci1: <intel 82801eb="" (ich5)="" usb="" controller="" usb-b=""> port 0xe000-0xe01f irq 19 at device 29.1 on pci0 uhci1: [GIANT-LOCKED] usb1: <intel 82801eb="" (ich5)="" usb="" controller="" usb-b=""> on uhci1 usb1: USB revision 1.0 uhub1: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub1: 2 ports with 2 removable, self powered uhci2: <intel 82801eb="" (ich5)="" usb="" controller="" usb-c=""> port 0xe400-0xe41f irq 18 at device 29.2 on pci0 uhci2: [GIANT-LOCKED] usb2: <intel 82801eb="" (ich5)="" usb="" controller="" usb-c=""> on uhci2 usb2: USB revision 1.0 uhub2: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub2: 2 ports with 2 removable, self powered uhci3: <intel 82801eb="" (ich5)="" usb="" controller="" usb-d=""> port 0xe800-0xe81f irq 16 at device 29.3 on pci0 uhci3: [GIANT-LOCKED] usb3: <intel 82801eb="" (ich5)="" usb="" controller="" usb-d=""> on uhci3 usb3: USB revision 1.0 uhub3: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub3: 2 ports with 2 removable, self powered ehci0: <intel 82801eb="" r="" (ich5)="" usb="" 2.0="" controller=""> mem 0xff27fc00-0xff27ffff irq 23 at device 29.7 on pci0 ehci0: [GIANT-LOCKED] usb4: EHCI version 1.0 usb4: companion controllers, 2 ports each: usb0 usb1 usb2 usb3 usb4: <intel 82801eb="" r="" (ich5)="" usb="" 2.0="" controller=""> on ehci0 usb4: USB revision 2.0 uhub4: Intel EHCI root hub, class 9/0, rev 2.00/1.00, addr 1 uhub4: 8 ports with 8 removable, self powered pcib1: <acpi pci-pci="" bridge=""> at device 30.0 on pci0 pci1: <acpi pci="" bus=""> on pcib1 rl0: <realtek 10="" 8139="" 100basetx=""> port 0xb800-0xb8ff mem 0xff0ffc00-0xff0ffcff irq 20 at device 3.0 on pci1 miibus0: <mii bus=""> on rl0 rlphy0: <realtek internal="" media="" interface=""> on miibus0 rlphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto rl0: Ethernet address: 00:00:21:fb:18:ab rl1: <realtek 10="" 8139="" 100basetx=""> port 0xb400-0xb4ff mem 0xff0ff800-0xff0ff8ff irq 22 at device 5.0 on pci1 miibus1: <mii bus=""> on rl1 rlphy1: <realtek internal="" media="" interface=""> on miibus1 rlphy1: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto rl1: Ethernet address: 00:19:66:37:19:07 isab0: <pci-isa bridge=""> at device 31.0 on pci0 isa0: <isa bus=""> on isab0 atapci0: <intel ich5="" udma100="" controller=""> port 0x1f0-0x1f7,0x3f6,0x170-0x177,0x376,0xfc00-0xfc0f at device 31.1 on pci0 ata0: <ata 0="" channel=""> on atapci0 ata1: <ata 1="" channel=""> on atapci0 pci0: <serial bus,="" smbus=""> at device 31.3 (no driver attached) pci0: <multimedia, audio=""> at device 31.5 (no driver attached) acpi_button0: <power button=""> on acpi0 speaker0: <pc speaker=""> port 0x61 on acpi0 fdc0: <floppy drive="" controller="" (fde)=""> port 0x3f0-0x3f5,0x3f7 irq 6 drq 2 on acpi0 fdc0: [FAST] fd0: <1440-KB 3.5" drive> on fdc0 drive 0 ppc0: <ecp parallel="" printer="" port=""> port 0x378-0x37f,0x778-0x77b irq 7 drq 3 on acpi0 ppc0: SMC-like chipset (ECP/EPP/PS2/NIBBLE) in COMPATIBLE mode ppc0: FIFO with 16/16/9 bytes threshold ppbus0: <parallel port="" bus=""> on ppc0 lpt0: <printer> on ppbus0 lpt0: Interrupt-driven port ppi0: <parallel i="" o=""> on ppbus0 sio0: <16550A-compatible COM port> port 0x3f8-0x3ff irq 4 flags 0x10 on acpi0 sio0: type 16550A pmtimer0 on isa0 orm0: <isa option="" rom=""> at iomem 0xc0000-0xc9fff on isa0 atkbdc0: <keyboard controller="" (i8042)=""> at port 0x60,0x64 on isa0 atkbd0: <at keyboard=""> irq 1 on atkbdc0 kbd0 at atkbd0 atkbd0: [GIANT-LOCKED] sc0: <system console=""> at flags 0x100 on isa0 sc0: VGA <16 virtual consoles, flags=0x300> sio1: configured irq 3 not in bitmap of probed irqs 0 sio1: port may not be enabled vga0: <generic isa="" vga=""> at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0 Timecounter "TSC" frequency 2396877174 Hz quality 800 Timecounters tick every 1.000 msec Fast IPsec: Initialized Security Association Processing. ad1: 76319MB <seagate st3802110a="" 3.aaj=""> at ata0-slave UDMA100 acd0: CDROM <hl-dt-st cd-rom="" gcr-8520b="" 1.00=""> at ata1-slave PIO4</hl-dt-st></seagate></generic></system></at></keyboard></isa></parallel></printer></parallel></ecp></floppy></pc></power></multimedia,></serial></ata></ata></intel></isa></pci-isa></realtek></mii></realtek></realtek></mii></realtek></acpi></acpi></intel></intel></intel></intel></intel></intel></intel></intel></intel></intel></intel></acpi></acpi></acpi></acpi></a></sse3,rsvd2,mon,ds_cpl,cntx-id></fpu,vme,de,pse,tsc,msr,pae,mce,cx8,apic,sep,mtrr,pge,mca,cmov,pat,pse36,clflush,dts,acpi,mmx,fxsr,sse,sse2,ss,htt,tm,pbe> ``` <a m="" i="" oemrsdt="">Pfsense ver is 1.0.1 So what can i actually do to speed up performance of my ipsec tunnel? Can i tweak "software" with existing hardware configuration, or should i install some special network cards with cryptographic support, or just a crypto card? What cryptographic equipment pfsense actually supports? And can i turn encryption for tunnel off at all in Pfsense? Thanks in advance, Anton</a> -
First, you might have better luck with a more recent build, like 1.2RC3
Second, the IPSec config would have been handy instead of the bootup output.
I've had good luck using a Hifn board like this http://www.soekris.com/vpn1401.htm
There are other supported accelerators, check the FreeBSD HCL, but the HiFn cards seem to be well tested and supported. -
Thanks for reply, but for some odd reason i had problems installing 1.2RC2. I had problems with 1.0.1 as well, but, solved it using boot troubleshoot howto. Ok, i will try 1.2rc3, if you think it will help. 7 mbits are good for me though, just want everything to be fast and perfect ;-)
-
And last question! Is it possible to switch encryption for tunnel off?? I send nothing really special through it. And here is my config from one side:
<pfsense><version>2.3</version> <lastchange><theme>pfsense</theme> <system><optimization>normal</optimization> <hostname>kenny</hostname> <domain>local</domain> <username>admin</username> <password>123456789</password> <timezone>Etc/UTC</timezone> <time-update-interval><timeservers>pool.ntp.org</timeservers> <webgui><protocol>http</protocol> <certificate><private-key></private-key></certificate></webgui> <disablenatreflection>yes</disablenatreflection> <enablesshd>yes</enablesshd> <maximumstates><dnsserver>213.142.214.1</dnsserver> <dnsallowoverride></dnsallowoverride></maximumstates></time-update-interval></system> <interfaces><lan><if>rl0</if> <ipaddr>192.168.1.1</ipaddr> <subnet>24</subnet> <media><mediaopt><bandwidth>100</bandwidth> <bandwidthtype>Mb</bandwidthtype></mediaopt></media></lan> <wan><if>rl1</if> <mtu><media><mediaopt><bandwidth>100</bandwidth> <bandwidthtype>Mb</bandwidthtype> <spoofmac><disableftpproxy><ipaddr>192.170.1.2</ipaddr> <subnet>24</subnet> <gateway>192.170.1.1</gateway></disableftpproxy></spoofmac></mediaopt></media></mtu></wan></interfaces> <staticroutes><pppoe><pptp><bigpond><dyndns><type>dyndns</type> <username><password></password></username></dyndns> <dhcpd><lan><enable><range><from>192.168.1.100</from> <to>192.168.1.199</to></range></enable></lan></dhcpd> <pptpd><mode><redir><localip></localip></redir></mode></pptpd> <ovpn><dnsmasq><enable></enable></dnsmasq> <snmpd><syslocation><syscontact><rocommunity>public</rocommunity></syscontact></syslocation></snmpd> <diag><ipv6nat></ipv6nat></diag> <bridge><syslog><nentries>50</nentries> <nologdefaultblock></nologdefaultblock></syslog> <nat><ipsecpassthru><advancedoutbound><rule><source> <network>192.168.1.0/24</network> <sourceport><descr>Auto created rule for LAN</descr> <target><interface>wan</interface> <destination><any></any></destination> <natport></natport></target></sourceport></rule> <enable></enable></advancedoutbound></ipsecpassthru></nat> <filter><rule><type>pass</type> <interface>wan</interface> <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype> <os><source> <address>10.7.3.115</address> <destination><any></any></destination> <log><descr>Allow All from raduga</descr></log></os></statetimeout></max-src-states></max-src-nodes></rule> <rule><type>pass</type> <interface>lan</interface> <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype> <os><source> <address>Administartor</address> <destination><any></any></destination> <log><descr>Allow For Administrator</descr></log></os></statetimeout></max-src-states></max-src-nodes></rule> <rule><type>pass</type> <interface>lan</interface> <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype> <source> <address>Managers</address> <destination><any></any></destination> <log><descr>Allow For ManagerELena</descr></log></statetimeout></max-src-states></max-src-nodes></rule> <rule><type>pass</type> <interface>lan</interface> <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype> <os><source> <address>Bank</address> <destination><any></any></destination> <log><descr>Allow For Banking Terminal</descr></log></os></statetimeout></max-src-states></max-src-nodes></rule> <rule><type>pass</type> <interface>lan</interface> <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype> <os><source> <address>Operator</address> <destination><any></any></destination> <log><descr>Allow For Operator</descr></log></os></statetimeout></max-src-states></max-src-nodes></rule> <rule><type>pass</type> <interface>lan</interface> <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype> <os><source> <address>Direktor</address> <destination><any></any></destination> <log><descr>Allow For Direktor</descr></log></os></statetimeout></max-src-states></max-src-nodes></rule> <rule><type>block</type> <interface>lan</interface> <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype> <os><source> <network>lan</network> <destination><any></any></destination> <descr>DISABLE ALL</descr></os></statetimeout></max-src-states></max-src-nodes></rule></filter> <ipsec><preferredoldsa><mobileclients><p1><mode>aggressive</mode> <myident><myaddress></myaddress></myident> <encryption-algorithm>3des</encryption-algorithm> <hash-algorithm>sha1</hash-algorithm> <dhgroup>2</dhgroup> <lifetime>1200</lifetime> <private-key><cert><authentication_method>pre_shared_key</authentication_method></cert></private-key></p1> <p2><protocol>esp</protocol> <encryption-algorithm-option>3des</encryption-algorithm-option> <encryption-algorithm-option>blowfish</encryption-algorithm-option> <hash-algorithm-option>hmac_sha1</hash-algorithm-option> <hash-algorithm-option>hmac_md5</hash-algorithm-option> <pfsgroup>0</pfsgroup> <lifetime>1200</lifetime></p2></mobileclients> <mobilekey><ident>gamesmaster@mail.ru</ident> <pre-shared-key>gbplfceifvb</pre-shared-key></mobilekey> <tunnel><interface>wan</interface> <local-subnet><network>lan</network></local-subnet> <remote-subnet>192.168.2.0/24</remote-subnet> <remote-gateway>10.7.3.115</remote-gateway> <p1><mode>aggressive</mode> <myident><ufqdn>gamesmaster@mail.ru</ufqdn></myident> <encryption-algorithm>blowfish</encryption-algorithm> <hash-algorithm>sha1</hash-algorithm> <dhgroup>1</dhgroup> <lifetime>86400</lifetime> <pre-shared-key>gbplfceifvb</pre-shared-key> <private-key><cert><peercert><authentication_method>pre_shared_key</authentication_method></peercert></cert></private-key></p1> <p2><protocol>esp</protocol> <encryption-algorithm-option>blowfish</encryption-algorithm-option> <hash-algorithm-option>hmac_sha1</hash-algorithm-option> <pfsgroup>0</pfsgroup> <lifetime>86400</lifetime></p2> <descr>DrugbaToRadugaGW</descr></tunnel> <tunnel><disabled><interface>wan</interface> <local-subnet><address>192.168.1.0/24</address></local-subnet> <remote-subnet>192.168.3.0/24</remote-subnet> <remote-gateway>10.1.1.1</remote-gateway> <p1><mode>aggressive</mode> <myident><myaddress></myaddress></myident> <encryption-algorithm>3des</encryption-algorithm> <hash-algorithm>sha1</hash-algorithm> <dhgroup>2</dhgroup> <lifetime>86400</lifetime> <pre-shared-key>gbplfceifvb</pre-shared-key> <private-key><cert><peercert><authentication_method>pre_shared_key</authentication_method></peercert></cert></private-key></p1> <p2><protocol>esp</protocol> <encryption-algorithm-option>3des</encryption-algorithm-option> <encryption-algorithm-option>blowfish</encryption-algorithm-option> <encryption-algorithm-option>cast128</encryption-algorithm-option> <encryption-algorithm-option>rijndael</encryption-algorithm-option> <encryption-algorithm-option>rijndael 256</encryption-algorithm-option> <hash-algorithm-option>hmac_sha1</hash-algorithm-option> <hash-algorithm-option>hmac_md5</hash-algorithm-option> <pfsgroup>0</pfsgroup> <lifetime>86400</lifetime></p2> <descr>TunDrugbaRomashka5(denied until set up server in romashka)</descr></disabled></tunnel> <enable></enable></preferredoldsa></ipsec> <aliases><alias><name>Administartor</name> <address>192.168.1.3</address> <descr>Administrator computer</descr></alias> <alias><name>Bank</name> <address>192.168.1.6</address> <descr>Banking terminal machine</descr></alias> <alias><name>Direktor</name> <address>192.168.1.186</address> <descr>Directors computer</descr></alias> <alias><name>Managers</name> <address>192.168.1.219 192.168.1.42 192.168.1.43 192.168.1.46</address> <descr>Managers group</descr></alias> <alias><name>Operator</name> <address>192.168.1.31</address> <descr>Operators computer</descr></alias></aliases> <proxyarp><wol><installedpackages><revision><description>/firewall_rules_edit.php made unknown change</description> <time>1199782773</time></revision> <virtualip></virtualip></installedpackages></wol></proxyarp></bridge></ovpn></bigpond></pptp></pppoe></staticroutes></lastchange></pfsense> -
Add an encryption card. With that 1.1 ghz celeron I would bet that the processor is at 100% at 7-8 mb/s.
These work well with pfsense and are pretty cheap.
-
Hi,
So if you just drop one of those VPN1401 cards into your machine, will it just pick up and use if for all IPSEC encryption, or does there need to be some configuration / re-installation for it to use it?
Regards
Ben
-
Just drop it in and it works. Assuming you have your tunnel using supported encryption. Per the note on the IPSec page: 'Hint: 'use 3DES for best compatibility or if you have a hardware crypto accelerator card.'
You should see it listed on the system page:
-
Well… I've seen a note, but i couldnt find any 3des encryption cards in Russia unfortunately.... :-( Actually i just installed rc3, and will check speed up.
UUUUFFF, you are so lucky having hifn card >:(
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.