4. AES-IN Inactive?

AES-IN Inactive?

  • S

    I’ve just brought a motherboard and cpu to upgrade what i run my pfsense on. In particular i upgraded in order to use AES-NI. However i do not seem to be able to get it to work.

    On the status page i get this:
    Intel(R) Core(TM) i5-3330 CPU @ 3.00GHz
    Current: 3000 MHz, Max: 3001 MHz
    4 CPUs: 1 package(s) x 4 core(s)
    AES-NI CPU Crypto: Yes (inactive)

    However I’m at a loss as to how to get it to change to (active) and actually work.

    I looked in the VPN client crypo settings expecting to find an option for AES-NI to enable it but all i get are BSD cryptodev engine – RSA, DSA, DH and Intel RDRAND engine – RAND.
    I’ve tried selecting both of them but it still says it’s inactive.

    Am i missing something?

    0
  • ?

    What does system->advanced->misc show under Cryptographic Hardware?

    0
  • S

    Thanks for the reply. Didn’t realise there was a settings there. Thought i just needed to enable it in the client setup. Got it to say active now, cheers.

    0
  • B

    Why is there an "AES-NI and BSD Crypto" selection ?
    What does it "prefer" ie. on a Core-i5 ?

    Would it use HW if available , and fall back to SW if no HW encryption is available ?

    If yes , why does it have the AES-NI  and BSD as single selections too ?

    What is the recommended setting if one have an AES-NI capable CPU ?

    /Bingo

    0
  • LAYER 8 Netgate

    AES-NI loads aesni.ko
    BSD Crypto loads cryptodev.ko
    AES-NI and BSD Crypto loads both

    What are you trying to accelerate? OpenVPN or IPsec or both?

    0
  • B

    ATM OpenVPN (but only 30/40Mb u/d) , so it would not be a prob. in sw.

    But was actually thinking of switching my OVPN (PKI/TLS)  Site-to-Site (L2L)  (summerhouse) tunnel to - IPSEC (PKI)
    IPSEC for L2L seems like a performancewise advantage , if/when i get a 100/100Mb

    And the i'll just use OVPN for roadwarriors (family remote in) , and VPN remote exit-nodes

    But this was just an Academic question about why to be able to load both ?
    If i have AES-NI that would perform best in all situations (i suppose) ??

    Is the possibility there for supporting (SW encr for some kind of conns - why ?) , and HW for others ?

    Ahh … Are some of the ciphers only supported in SW , due to HW crypto limitations ?

    From the Front page (pfsense) : Hardware crypto AES-CBC,AES-XTS,AES-GCM,AES-ICM
    These might be the only ones w. HW support for my cpu ?

    /Bingo

    0
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy