SG-1100 Crypto Hardware

stephenw10

A lot of the performance improvements for the SG-2100 are due to the fact it has two NICs.
mvneta(4) uses a single queue which means two NICs can use both CPU cores more efficiently.

It also has far more RAM which helps a lot, especially if you're running any packages.

An early version of the SafeXcel driver was included in 2.4.5 but mostly just for testing at that point. You can enable it but it only supports AES-128-CBC and doesn't accelerate much.
The current version is much better.

Steve

SteveITS

I went back and found an email I wrote my team from September and I am pretty sure the two products' pages showed the same CPU. If it's different that is a good thing. Also the 2100 has a separate WAN port whereas the 1100 has all ports on the same switch.

Another thread: https://forum.netgate.com/topic/151296/update-sg-1100-crypto-hardware/8

Also Netgate had said 2.5 would "require" AES-NI, which they backed away from. I'm assuming if they're going to launch the 2100 they won't be making it obsolete and un-upgradeable in the near future.

bigsy

@stephenw10 said in SG-1100 Crypto Hardware:

An early version of the SafeXcel driver was included in 2.4.5 but mostly just for testing at that point. You can enable it but it only supports AES-128-CBC and doesn't accelerate much.
The current version is much better.

Will that updated driver be included in pfSense 2.5.0?

The linked FreeBSD manual page says that "the safexcel driver first appeared in FreeBSD 13.0."

NOCling

Since I've had an SG-3100, I've been using HCA in the SG-1100 with AES_CBS128 for about 6 months.
No crash, no problems, just works.
50 Mbit / s corresponds to a CPU utilization of approx. 40%.

I think the SG-1100 and SG-2100 deliver roughly the same speed with the HCA on.

Wallace_n_Gromit

@rdsmith24 in the latest version of pfSense + 21.02-RELEASE (arm64) going to [System][Advanced][miscellaneous][Cryptographic & Thermal Hardware][Cryptographic Hardware] you can enable "SafeXcel". Your CPU Type at the [Status][Dashboard] will show:

ARM Cortex-A53 r0p4

2 CPUs:
CPU 0: ARM Cortex-A53 r0p4 affinity: 0
CPU 1: ARM Cortex-A53 r0p4 affinity: 1
Crypto: (SafeXcel active)

sgw

correct, I also ticked that box after upgrading to 21.02 and rebooted.
After that one of my three IPSEC-tunnels did come up but didn't transport data = no ping, nothing, although the IPSEC SA was up etc

Disabling that hw crypto (+ reboot) made it work again.

jwt

@sgw please work with Netgate TAC to resolve your issue or report a bug.

Taz79

So.. what is the performance improvement with SafeXcel active?

Im running 2 OpenVPN tunnels on SG-1100..

Data Ciphers: AES-256-GCM, AES-128-GCM, AES-256-CBC
Digest: SHA1

Data Ciphers: AES-128-GCM, AES-256-GCM
Digest: SHA384

bigsy

@taz79 Does it do anything for OpenVPN? Anything I've read has been to do with improved IPsec performance.

kejianshi

@taz79 I tend to complain a lot if I PAY for something thats not working right which is why I was disappointed that my hardware crypto was not working on the pfsense when I got it over a year ago. But the latest update to 2.5 enabled crypto. I went into openvpn config and turned it on for 2 tunnels. I also installed wireguard on a couple of phones and routed all network traffic from the phones through the pfsense. It's very nice and persistent and doesn't quit even when the phones reboot. This update was a big improvement. My tunnels are spread across the world all 1000s of miles from each other so it would not be fair for me to talk about speed since my vpn speed is mostly limited by latency... Long fat pipe syndrome. But even at 8000 miles, I get about 50 / 50 up and down through the VPN and thats a pretty good improvement. Wireguard is even faster and more reliable. Finger poking settings into both the pfsense and the phone or computer means that wireguard is still far less convenient than openvpn but I'm hoping there will be a QR code package for pfsense wireguard soon to make it simple.

Taz79

@kejianshi Maybe a good oportunity for me to setup VPN connection for my phone now then.. To try our WireGuard at the same time :)

marcosm

@sgw said in SG-1100 Crypto Hardware:

correct, I also ticked that box after upgrading to 21.02 and rebooted.
After that one of my three IPSEC-tunnels did come up but didn't transport data = no ping, nothing, although the IPSEC SA was up etc

Disabling that hw crypto (+ reboot) made it work again.

Try using AESGCM for P2.

sgw

@marcos-ng said in SG-1100 Crypto Hardware:

@sgw said in SG-1100 Crypto Hardware:

correct, I also ticked that box after upgrading to 21.02 and rebooted.
After that one of my three IPSEC-tunnels did come up but didn't transport data = no ping, nothing, although the IPSEC SA was up etc

Disabling that hw crypto (+ reboot) made it work again.

Try using AESGCM for P2.

Tried that, but the one tunnel still doesn't work. As far as I understand the logs the other side does only offer AES. I mailed them now to adjust algorithms asap.

marcosm

@sgw The other option is to use MD5 as the hash algorithm, though I would recommend against if possible to avoid. AESGCM is the ideal workaround here. Best of luck.