Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfsense on Hyper-V and hardware crypto

    Scheduled Pinned Locked Moved General pfSense Questions
    11 Posts 2 Posters 2.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      Hammer8
      last edited by

      Hi, I’m running pfsense as a guest on Hyper-V/Windows Server 2016. On my dashboard, it’s says that AES-NI is available and active, however, when I setup my OpenVPN client, the only option I see for Hardware Cryto is Intel RDRAND Engine. Is that the same as hardware AES-NI? If not, should I select that or select No Hardware Acceleration?

      Thank you!

      1 Reply Last reply Reply Quote 0
      • kiokomanK
        kiokoman LAYER 8
        last edited by

        yes you should select that

        ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
        Please do not use chat/PM to ask for help
        we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
        Don't forget to Upvote with the 👍 button for any post you find to be helpful.

        1 Reply Last reply Reply Quote 0
        • H
          Hammer8
          last edited by

          Thanks...is RDRAND the same as AES-NI? On some forums it says there should be an option for “AES-NI CPU-based Acceleration“

          Thank you!

          1 Reply Last reply Reply Quote 0
          • kiokomanK
            kiokoman LAYER 8
            last edited by

            no it's not the same, RDRAND returns random numbers that are supplied by a cryptographically secure, Deterministic Random Bit Generator (DRBG).
            to make it short it's a random number generator.
            you can check for AESNI presence from the terminal/console for example with

            dmesg | head -12 | tail -4

            CPU: Westmere E56xx/L56xx/X56xx (IBRS update) (2393.99-MHz K8-class CPU)
            Origin="GenuineIntel" Id=0x206c1 Family=0x6 Model=0x2c Stepping=1
            Features=0xf83fbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE,SSE2,SS>
            Features2=0x83ba2223<SSE3,PCLMULQDQ,VMX,SSSE3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,TSCDLT,AESNI,HV>

            if it is present it will automatically be used by openssl

            ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
            Please do not use chat/PM to ask for help
            we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
            Don't forget to Upvote with the 👍 button for any post you find to be helpful.

            1 Reply Last reply Reply Quote 0
            • H
              Hammer8
              last edited by

              Maybe it’s because I’m running it as a hyper-v guest, but when I do that, I get :

              SRAT: Ignoring memory at addr 0x100000000
              SRAT: Ignoring memory at addr 0x1000000000
              SRAT: Ignoring memory at addr 0x10000200000
              SRAT: Ignoring memory at addr 0x20000200000

              1 Reply Last reply Reply Quote 0
              • kiokomanK
                kiokoman LAYER 8
                last edited by

                dmesg | grep AESNI -a5

                ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
                Please do not use chat/PM to ask for help
                we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
                Don't forget to Upvote with the 👍 button for any post you find to be helpful.

                1 Reply Last reply Reply Quote 0
                • H
                  Hammer8
                  last edited by

                  Awesome thanks! AES-NI is listed under features2 and so it’s being used even though that’s not an option I select under the openvpn client setup?

                  1 Reply Last reply Reply Quote 0
                  • kiokomanK
                    kiokoman LAYER 8
                    last edited by

                    yup,
                    you can test it with
                    AES-NI enable:

                    openssl speed -elapsed -evp aes-128-ecb

                    AES-NI disabled

                    env OPENSSL_ia32cap="~0x200000200000000" openssl speed -elapsed -evp aes-128-cbc

                    ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
                    Please do not use chat/PM to ask for help
                    we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
                    Don't forget to Upvote with the 👍 button for any post you find to be helpful.

                    1 Reply Last reply Reply Quote 0
                    • H
                      Hammer8
                      last edited by

                      Thank you for your patience! If I run the second command line to test the Disabled speed, do I need to do anything to revert back to enabled?

                      1 Reply Last reply Reply Quote 0
                      • kiokomanK
                        kiokoman LAYER 8
                        last edited by kiokoman

                        yes sorry, reboot or a simple

                        env OPENSSL_ia32cap=""

                        will do the trick

                        ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
                        Please do not use chat/PM to ask for help
                        we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
                        Don't forget to Upvote with the 👍 button for any post you find to be helpful.

                        1 Reply Last reply Reply Quote 0
                        • H
                          Hammer8
                          last edited by

                          Thank you!

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.