AES-IN Inactive?

smegheed

I’ve just brought a motherboard and cpu to upgrade what i run my pfsense on. In particular i upgraded in order to use AES-NI. However i do not seem to be able to get it to work.

On the status page i get this:
Intel(R) Core(TM) i5-3330 CPU @ 3.00GHz
Current: 3000 MHz, Max: 3001 MHz
4 CPUs: 1 package(s) x 4 core(s)
AES-NI CPU Crypto: Yes (inactive)

However I’m at a loss as to how to get it to change to (active) and actually work.

I looked in the VPN client crypo settings expecting to find an option for AES-NI to enable it but all i get are BSD cryptodev engine – RSA, DSA, DH and Intel RDRAND engine – RAND.
I’ve tried selecting both of them but it still says it’s inactive.

Am i missing something?

Guest

What does system->advanced->misc show under Cryptographic Hardware?

smegheed

Thanks for the reply. Didn’t realise there was a settings there. Thought i just needed to enable it in the client setup. Got it to say active now, cheers.

bingo600

Why is there an "AES-NI and BSD Crypto" selection ?
What does it "prefer" ie. on a Core-i5 ?

Would it use HW if available , and fall back to SW if no HW encryption is available ?

If yes , why does it have the AES-NI  and BSD as single selections too ?

What is the recommended setting if one have an AES-NI capable CPU ?

/Bingo

Derelict

AES-NI loads aesni.ko
BSD Crypto loads cryptodev.ko
AES-NI and BSD Crypto loads both

What are you trying to accelerate? OpenVPN or IPsec or both?

bingo600

ATM OpenVPN (but only 30/40Mb u/d) , so it would not be a prob. in sw.

But was actually thinking of switching my OVPN (PKI/TLS)  Site-to-Site (L2L)  (summerhouse) tunnel to - IPSEC (PKI)
IPSEC for L2L seems like a performancewise advantage , if/when i get a 100/100Mb

And the i'll just use OVPN for roadwarriors (family remote in) , and VPN remote exit-nodes

But this was just an Academic question about why to be able to load both ?
If i have AES-NI that would perform best in all situations (i suppose) ??

Is the possibility there for supporting (SW encr for some kind of conns - why ?) , and HW for others ?

Ahh … Are some of the ciphers only supported in SW , due to HW crypto limitations ?

From the Front page (pfsense) : Hardware crypto AES-CBC,AES-XTS,AES-GCM,AES-ICM
These might be the only ones w. HW support for my cpu ?

/Bingo