SG-1000 with IPSEC: recommended settings?



  • I browse the forum for infos around if and how to enable the dropdown setting "Cryptographic Hardware" when I use IPSEC tunnels with pfsense-2.4 beta on a SG-1000.
    AFAI understand it doesn't matter yet what to set there, right?

    Will it hurt performance on this box if I use AES-256 for IPSEC on this CPU?
    I run around up to 5 tunnels in parallel on a 50/5 ADSL line here and look for the optimal setup in terms of security and performance.
    thanks in advance, Stefan



  • My guess is that AES-256 is not going to perform great on this box. The one I've set up is no slouch, but with five simultaneous AES-256 tunnels that CPU will likely be struggling. Then again, with 5Mb upload you could probably get away with it. My understanding is that the crypto accelerator is slated for support in 2.5 - https://forum.pfsense.org/index.php?topic=123013.msg679567#msg679567 - so I set BSD Cryptodev under the hardware setting. Not because it's currently doing anything, but because it's more likely to begin doing something without me changing something when support is released (AES-NI is technically for Intel/AMD hardware - the ARM instructions are like AES-NI but aren't the same).

    These are just my best guesses and I'm happy to be corrected, given my minimal experience with the unit.



  • You won't be able to use the crypto accelerator until pfSense 2.5 comes out.  Right now, The SG-1000 can do about 10Mbps over VPN, give or take depending on cipher and what other services you have running on the box.