Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    AES-IN Inactive?

    Scheduled Pinned Locked Moved Hardware
    6 Posts 4 Posters 55.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      smegheed
      last edited by

      I’ve just brought a motherboard and cpu to upgrade what i run my pfsense on. In particular i upgraded in order to use AES-NI. However i do not seem to be able to get it to work.

      On the status page i get this:
      Intel(R) Core(TM) i5-3330 CPU @ 3.00GHz
      Current: 3000 MHz, Max: 3001 MHz
      4 CPUs: 1 package(s) x 4 core(s)
      AES-NI CPU Crypto: Yes (inactive)

      However I’m at a loss as to how to get it to change to (active) and actually work.

      I looked in the VPN client crypo settings expecting to find an option for AES-NI to enable it but all i get are BSD cryptodev engine – RSA, DSA, DH and Intel RDRAND engine – RAND.
      I’ve tried selecting both of them but it still says it’s inactive.

      Am i missing something?

      1 Reply Last reply Reply Quote 0
      • ?
        Guest
        last edited by

        What does system->advanced->misc show under Cryptographic Hardware?

        1 Reply Last reply Reply Quote 1
        • S
          smegheed
          last edited by

          Thanks for the reply. Didn’t realise there was a settings there. Thought i just needed to enable it in the client setup. Got it to say active now, cheers.

          1 Reply Last reply Reply Quote 0
          • bingo600B
            bingo600
            last edited by

            Why is there an "AES-NI and BSD Crypto" selection ?
            What does it "prefer" ie. on a Core-i5 ?

            Would it use HW if available , and fall back to SW if no HW encryption is available ?

            If yes , why does it have the AES-NI  and BSD as single selections too ?

            What is the recommended setting if one have an AES-NI capable CPU ?

            /Bingo

            If you find my answer useful - Please give the post a 👍 - "thumbs up"

            pfSense+ 23.05.1 (ZFS)

            QOTOM-Q355G4 Quad Lan.
            CPU  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
            LAN  : 4 x Intel 211, Disk  : 240G SAMSUNG MZ7L3240HCHQ SSD

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              AES-NI loads aesni.ko
              BSD Crypto loads cryptodev.ko
              AES-NI and BSD Crypto loads both

              What are you trying to accelerate? OpenVPN or IPsec or both?

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • bingo600B
                bingo600
                last edited by

                ATM OpenVPN (but only 30/40Mb u/d) , so it would not be a prob. in sw.

                But was actually thinking of switching my OVPN (PKI/TLS)  Site-to-Site (L2L)  (summerhouse) tunnel to - IPSEC (PKI)
                IPSEC for L2L seems like a performancewise advantage , if/when i get a 100/100Mb

                And the i'll just use OVPN for roadwarriors (family remote in) , and VPN remote exit-nodes

                But this was just an Academic question about why to be able to load both ?
                If i have AES-NI that would perform best in all situations (i suppose) ??

                Is the possibility there for supporting (SW encr for some kind of conns - why ?) , and HW for others ?

                Ahh … Are some of the ciphers only supported in SW , due to HW crypto limitations ?

                From the Front page (pfsense) : Hardware crypto AES-CBC,AES-XTS,AES-GCM,AES-ICM
                These might be the only ones w. HW support for my cpu ?

                /Bingo

                If you find my answer useful - Please give the post a 👍 - "thumbs up"

                pfSense+ 23.05.1 (ZFS)

                QOTOM-Q355G4 Quad Lan.
                CPU  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
                LAN  : 4 x Intel 211, Disk  : 240G SAMSUNG MZ7L3240HCHQ SSD

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.