AES-IN Inactive?
-
I’ve just brought a motherboard and cpu to upgrade what i run my pfsense on. In particular i upgraded in order to use AES-NI. However i do not seem to be able to get it to work.
On the status page i get this:
Intel(R) Core(TM) i5-3330 CPU @ 3.00GHz
Current: 3000 MHz, Max: 3001 MHz
4 CPUs: 1 package(s) x 4 core(s)
AES-NI CPU Crypto: Yes (inactive)However I’m at a loss as to how to get it to change to (active) and actually work.
I looked in the VPN client crypo settings expecting to find an option for AES-NI to enable it but all i get are BSD cryptodev engine – RSA, DSA, DH and Intel RDRAND engine – RAND.
I’ve tried selecting both of them but it still says it’s inactive.Am i missing something?
-
What does system->advanced->misc show under Cryptographic Hardware?
-
Thanks for the reply. Didn’t realise there was a settings there. Thought i just needed to enable it in the client setup. Got it to say active now, cheers.
-
Why is there an "AES-NI and BSD Crypto" selection ?
What does it "prefer" ie. on a Core-i5 ?Would it use HW if available , and fall back to SW if no HW encryption is available ?
If yes , why does it have the AES-NI and BSD as single selections too ?
What is the recommended setting if one have an AES-NI capable CPU ?
/Bingo
-
AES-NI loads aesni.ko
BSD Crypto loads cryptodev.ko
AES-NI and BSD Crypto loads bothWhat are you trying to accelerate? OpenVPN or IPsec or both?
-
ATM OpenVPN (but only 30/40Mb u/d) , so it would not be a prob. in sw.
But was actually thinking of switching my OVPN (PKI/TLS) Site-to-Site (L2L) (summerhouse) tunnel to - IPSEC (PKI)
IPSEC for L2L seems like a performancewise advantage , if/when i get a 100/100MbAnd the i'll just use OVPN for roadwarriors (family remote in) , and VPN remote exit-nodes
But this was just an Academic question about why to be able to load both ?
If i have AES-NI that would perform best in all situations (i suppose) ??Is the possibility there for supporting (SW encr for some kind of conns - why ?) , and HW for others ?
Ahh … Are some of the ciphers only supported in SW , due to HW crypto limitations ?
From the Front page (pfsense) : Hardware crypto AES-CBC,AES-XTS,AES-GCM,AES-ICM
These might be the only ones w. HW support for my cpu ?/Bingo