Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Update? SG-1100-crypto-hardware

    Scheduled Pinned Locked Moved Official Netgate® Hardware
    19 Posts 5 Posters 2.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • stephenw10S
      stephenw10 Netgate Administrator
      last edited by

      Disable NCP otherwise it may negotiate aes-128-gcm if the server supports it. The safexcel driver does not support GCM, yet.
      But you will not see any improvement in OpenVPN yet. In my testing the current driver only helped IPSec.

      Steve

      C 1 Reply Last reply Reply Quote 1
      • C
        costanzo @stephenw10
        last edited by

        @stephenw10

        Thanks!

        1 Reply Last reply Reply Quote 0
        • D
          ddbnj
          last edited by

          Can pfsense use AES-128-CBC for an ipsec site to site VPN?

          1 Reply Last reply Reply Quote 0
          • RicoR
            Rico LAYER 8 Rebel Alliance
            last edited by

            Yes.

            -Rico

            D 1 Reply Last reply Reply Quote 0
            • D
              ddbnj @Rico
              last edited by

              @Rico

              Thank you for the reply.

              Sorry for the basic question but...

              Under phase 2 proposal

              Protocol: ESP
              Encryption algorithm:
              Selected AES
              Selected 256 bits
              Unselected all other protocols
              Added Hash Algorithm SHA256

              By doing the above, will the VPN use the hardware acceleration AES-256-CBC? I am hesitant because CBC isn't mentioned anywhere.

              Thank you for your help,

              Devan

              D 1 Reply Last reply Reply Quote 0
              • D
                ddbnj @ddbnj
                last edited by

                @ddbnj

                Nevermind, I saw in the log:

                configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ

                Thank you again.

                1 Reply Last reply Reply Quote 0
                • stephenw10S
                  stephenw10 Netgate Administrator @stephenw10
                  last edited by

                  @stephenw10 said in Update? SG-1100-crypto-hardware:

                  Right now it supports only AES-128-CBC

                  This is still true. If you want to test the hardware crypto you can only use that currently.

                  Steve

                  D 1 Reply Last reply Reply Quote 0
                  • D
                    ddbnj @stephenw10
                    last edited by

                    @stephenw10

                    Does the output of:

                    openssl engine -c -t

                    Indicate which algorithms are hardware accelerated?

                    [2.4.5-RELEASE][admin@sg1100]/root: openssl engine -c -t
(cryptodev) BSD cryptodev engine
 [RSA, DSA, DH, AES-128-CBC, AES-192-CBC, AES-256-CBC]
     [ available ]
(rdrand) Intel RDRAND engine
 [RAND]
     [ available ]
(dynamic) Dynamic engine loading support
     [ unavailable ]
[2.4.5-RELEASE][admin@sg1100]/root:

                    Thank you for clarifying,

                    Devan

                    1 Reply Last reply Reply Quote 0
                    • stephenw10S
                      stephenw10 Netgate Administrator
                      last edited by

                      It may register for more ciphers in the BSD cryptoframework but the code in the driver itself only supports AES-128-CBC.

                      I'm not sure how you appear to have the Intel Random Number device present on the SG-1100 there....

                      Steve

                      D 1 Reply Last reply Reply Quote 0
                      • D
                        ddbnj @stephenw10
                        last edited by ddbnj

                        @stephenw10

                        My error, wrong box.

                        SG-1100 properly:

                        [2.4.5-RELEASE][admin@pfSense.private.com]/root: openssl engine -c -t
(cryptodev) BSD cryptodev engine
 [RSA, DSA, DH, AES-128-CBC, AES-192-CBC, AES-256-CBC]
     [ available ]
(dynamic) Dynamic engine loading support
     [ unavailable ]
[2.4.5-RELEASE][admin@pfSense.private.com]/root:
                        1 Reply Last reply Reply Quote 0
                        • stephenw10S
                          stephenw10 Netgate Administrator
                          last edited by

                          Ah, good. That had me questioning everything!

                          But, yes, the driver can only actually accelerate AES-128-CBC.

                          Steve

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.