Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    SG-1000 with IPSEC: recommended settings?

    Official Netgate® Hardware
    3
    3
    800
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sgw last edited by

      I browse the forum for infos around if and how to enable the dropdown setting "Cryptographic Hardware" when I use IPSEC tunnels with pfsense-2.4 beta on a SG-1000.
      AFAI understand it doesn't matter yet what to set there, right?

      Will it hurt performance on this box if I use AES-256 for IPSEC on this CPU?
      I run around up to 5 tunnels in parallel on a 50/5 ADSL line here and look for the optimal setup in terms of security and performance.
      thanks in advance, Stefan

      1 Reply Last reply Reply Quote 0
      • B
        beatvjiking last edited by

        My guess is that AES-256 is not going to perform great on this box. The one I've set up is no slouch, but with five simultaneous AES-256 tunnels that CPU will likely be struggling. Then again, with 5Mb upload you could probably get away with it. My understanding is that the crypto accelerator is slated for support in 2.5 - https://forum.pfsense.org/index.php?topic=123013.msg679567#msg679567 - so I set BSD Cryptodev under the hardware setting. Not because it's currently doing anything, but because it's more likely to begin doing something without me changing something when support is released (AES-NI is technically for Intel/AMD hardware - the ARM instructions are like AES-NI but aren't the same).

        These are just my best guesses and I'm happy to be corrected, given my minimal experience with the unit.

        1 Reply Last reply Reply Quote 0
        • R
          rnatalli last edited by

          You won't be able to use the crypto accelerator until pfSense 2.5 comes out.  Right now, The SG-1000 can do about 10Mbps over VPN, give or take depending on cipher and what other services you have running on the box.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post