1. Home
  2. pfSense® Software
  3. Hardware
  4. AES-IN Inactive?

AES-IN Inactive?

  • S

    I’ve just brought a motherboard and cpu to upgrade what i run my pfsense on. In particular i upgraded in order to use AES-NI. However i do not seem to be able to get it to work.

    On the status page i get this:
    Intel(R) Core(TM) i5-3330 CPU @ 3.00GHz
    Current: 3000 MHz, Max: 3001 MHz
    4 CPUs: 1 package(s) x 4 core(s)
    AES-NI CPU Crypto: Yes (inactive)

    However I’m at a loss as to how to get it to change to (active) and actually work.

    I looked in the VPN client crypo settings expecting to find an option for AES-NI to enable it but all i get are BSD cryptodev engine – RSA, DSA, DH and Intel RDRAND engine – RAND.
    I’ve tried selecting both of them but it still says it’s inactive.

    Am i missing something?

    0
  • ?

    What does system->advanced->misc show under Cryptographic Hardware?

    0
  • S

    Thanks for the reply. Didn’t realise there was a settings there. Thought i just needed to enable it in the client setup. Got it to say active now, cheers.

    0
  • B

    Why is there an "AES-NI and BSD Crypto" selection ?
    What does it "prefer" ie. on a Core-i5 ?

    Would it use HW if available , and fall back to SW if no HW encryption is available ?

    If yes , why does it have the AES-NI  and BSD as single selections too ?

    What is the recommended setting if one have an AES-NI capable CPU ?

    /Bingo

    0
  • Derelict
    LAYER 8 Netgate

    AES-NI loads aesni.ko
    BSD Crypto loads cryptodev.ko
    AES-NI and BSD Crypto loads both

    What are you trying to accelerate? OpenVPN or IPsec or both?

    0
  • B

    ATM OpenVPN (but only 30/40Mb u/d) , so it would not be a prob. in sw.

    But was actually thinking of switching my OVPN (PKI/TLS)  Site-to-Site (L2L)  (summerhouse) tunnel to - IPSEC (PKI)
    IPSEC for L2L seems like a performancewise advantage , if/when i get a 100/100Mb

    And the i'll just use OVPN for roadwarriors (family remote in) , and VPN remote exit-nodes

    But this was just an Academic question about why to be able to load both ?
    If i have AES-NI that would perform best in all situations (i suppose) ??

    Is the possibility there for supporting (SW encr for some kind of conns - why ?) , and HW for others ?

    Ahh … Are some of the ciphers only supported in SW , due to HW crypto limitations ?

    From the Front page (pfsense) : Hardware crypto AES-CBC,AES-XTS,AES-GCM,AES-ICM
    These might be the only ones w. HW support for my cpu ?

    /Bingo

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy