Update? SG-1100-crypto-hardware

stephenw10

It's because it's still in development. The driver is included in 2.4.5 for those who wish to test it but I would not recommend doing so in production.
Right now it supports only AES-128-CBC and as such provides some improvement for IPSec if you select that cipher.

More to come.

Steve

costanzo

@stephenw10 said in Update? SG-1100-crypto-hardware:

AES-128-CBC

To test/use this in OpenVPN, is this the correct settings:

Also, do we need to reboot the SG-1100 after making the changes, or any other steps?

stephenw10

Disable NCP otherwise it may negotiate aes-128-gcm if the server supports it. The safexcel driver does not support GCM, yet.
But you will not see any improvement in OpenVPN yet. In my testing the current driver only helped IPSec.

Steve

costanzo

@stephenw10

Thanks!

ddbnj

Can pfsense use AES-128-CBC for an ipsec site to site VPN?

Rico

Yes.

-Rico

ddbnj

@Rico

Thank you for the reply.

Sorry for the basic question but...

Under phase 2 proposal

Protocol: ESP
Encryption algorithm:
Selected AES
Selected 256 bits
Unselected all other protocols
Added Hash Algorithm SHA256

By doing the above, will the VPN use the hardware acceleration AES-256-CBC? I am hesitant because CBC isn't mentioned anywhere.

Thank you for your help,

Devan

ddbnj

@ddbnj

Nevermind, I saw in the log:

configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ

Thank you again.

stephenw10

@stephenw10 said in Update? SG-1100-crypto-hardware:

Right now it supports only AES-128-CBC

This is still true. If you want to test the hardware crypto you can only use that currently.

Steve

ddbnj

@stephenw10

Does the output of:

openssl engine -c -t

Indicate which algorithms are hardware accelerated?

[2.4.5-RELEASE][admin@sg1100]/root: openssl engine -c -t
(cryptodev) BSD cryptodev engine
 [RSA, DSA, DH, AES-128-CBC, AES-192-CBC, AES-256-CBC]
     [ available ]
(rdrand) Intel RDRAND engine
 [RAND]
     [ available ]
(dynamic) Dynamic engine loading support
     [ unavailable ]
[2.4.5-RELEASE][admin@sg1100]/root:

Thank you for clarifying,

Devan

stephenw10

It may register for more ciphers in the BSD cryptoframework but the code in the driver itself only supports AES-128-CBC.

I'm not sure how you appear to have the Intel Random Number device present on the SG-1100 there....

Steve

ddbnj

@stephenw10

My error, wrong box.

SG-1100 properly:

[2.4.5-RELEASE][admin@pfSense.private.com]/root: openssl engine -c -t
(cryptodev) BSD cryptodev engine
 [RSA, DSA, DH, AES-128-CBC, AES-192-CBC, AES-256-CBC]
     [ available ]
(dynamic) Dynamic engine loading support
     [ unavailable ]
[2.4.5-RELEASE][admin@pfSense.private.com]/root:

stephenw10

Ah, good. That had me questioning everything!

But, yes, the driver can only actually accelerate AES-128-CBC.

Steve