AES-IN Inactive?



  • I’ve just brought a motherboard and cpu to upgrade what i run my pfsense on. In particular i upgraded in order to use AES-NI. However i do not seem to be able to get it to work.

    On the status page i get this:
    Intel(R) Core(TM) i5-3330 CPU @ 3.00GHz
    Current: 3000 MHz, Max: 3001 MHz
    4 CPUs: 1 package(s) x 4 core(s)
    AES-NI CPU Crypto: Yes (inactive)

    However I’m at a loss as to how to get it to change to (active) and actually work.

    I looked in the VPN client crypo settings expecting to find an option for AES-NI to enable it but all i get are BSD cryptodev engine – RSA, DSA, DH and Intel RDRAND engine – RAND.
    I’ve tried selecting both of them but it still says it’s inactive.

    Am i missing something?



  • What does system->advanced->misc show under Cryptographic Hardware?



  • Thanks for the reply. Didn’t realise there was a settings there. Thought i just needed to enable it in the client setup. Got it to say active now, cheers.



  • Why is there an "AES-NI and BSD Crypto" selection ?
    What does it "prefer" ie. on a Core-i5 ?

    Would it use HW if available , and fall back to SW if no HW encryption is available ?

    If yes , why does it have the AES-NI  and BSD as single selections too ?

    What is the recommended setting if one have an AES-NI capable CPU ?

    /Bingo


  • Netgate

    AES-NI loads aesni.ko
    BSD Crypto loads cryptodev.ko
    AES-NI and BSD Crypto loads both

    What are you trying to accelerate? OpenVPN or IPsec or both?



  • ATM OpenVPN (but only 30/40Mb u/d) , so it would not be a prob. in sw.

    But was actually thinking of switching my OVPN (PKI/TLS)  Site-to-Site (L2L)  (summerhouse) tunnel to - IPSEC (PKI)
    IPSEC for L2L seems like a performancewise advantage , if/when i get a 100/100Mb

    And the i'll just use OVPN for roadwarriors (family remote in) , and VPN remote exit-nodes

    But this was just an Academic question about why to be able to load both ?
    If i have AES-NI that would perform best in all situations (i suppose) ??

    Is the possibility there for supporting (SW encr for some kind of conns - why ?) , and HW for others ?

    Ahh … Are some of the ciphers only supported in SW , due to HW crypto limitations ?

    From the Front page (pfsense) : Hardware crypto AES-CBC,AES-XTS,AES-GCM,AES-ICM
    These might be the only ones w. HW support for my cpu ?

    /Bingo