SG-1100 Crypto Hardware

NOCling

Since I've had an SG-3100, I've been using HCA in the SG-1100 with AES_CBS128 for about 6 months.
No crash, no problems, just works.
50 Mbit / s corresponds to a CPU utilization of approx. 40%.

I think the SG-1100 and SG-2100 deliver roughly the same speed with the HCA on.

Wallace_n_Gromit

@rdsmith24 in the latest version of pfSense + 21.02-RELEASE (arm64) going to [System][Advanced][miscellaneous][Cryptographic & Thermal Hardware][Cryptographic Hardware] you can enable "SafeXcel". Your CPU Type at the [Status][Dashboard] will show:

ARM Cortex-A53 r0p4

2 CPUs:
CPU 0: ARM Cortex-A53 r0p4 affinity: 0
CPU 1: ARM Cortex-A53 r0p4 affinity: 1
Crypto: (SafeXcel active)

sgw

correct, I also ticked that box after upgrading to 21.02 and rebooted.
After that one of my three IPSEC-tunnels did come up but didn't transport data = no ping, nothing, although the IPSEC SA was up etc

Disabling that hw crypto (+ reboot) made it work again.

jwt

@sgw please work with Netgate TAC to resolve your issue or report a bug.

Taz79

So.. what is the performance improvement with SafeXcel active?

Im running 2 OpenVPN tunnels on SG-1100..

Data Ciphers: AES-256-GCM, AES-128-GCM, AES-256-CBC
Digest: SHA1

Data Ciphers: AES-128-GCM, AES-256-GCM
Digest: SHA384

bigsy

@taz79 Does it do anything for OpenVPN? Anything I've read has been to do with improved IPsec performance.

kejianshi

@taz79 I tend to complain a lot if I PAY for something thats not working right which is why I was disappointed that my hardware crypto was not working on the pfsense when I got it over a year ago. But the latest update to 2.5 enabled crypto. I went into openvpn config and turned it on for 2 tunnels. I also installed wireguard on a couple of phones and routed all network traffic from the phones through the pfsense. It's very nice and persistent and doesn't quit even when the phones reboot. This update was a big improvement. My tunnels are spread across the world all 1000s of miles from each other so it would not be fair for me to talk about speed since my vpn speed is mostly limited by latency... Long fat pipe syndrome. But even at 8000 miles, I get about 50 / 50 up and down through the VPN and thats a pretty good improvement. Wireguard is even faster and more reliable. Finger poking settings into both the pfsense and the phone or computer means that wireguard is still far less convenient than openvpn but I'm hoping there will be a QR code package for pfsense wireguard soon to make it simple.

Taz79

@kejianshi Maybe a good oportunity for me to setup VPN connection for my phone now then.. To try our WireGuard at the same time :)

marcosm

@sgw said in SG-1100 Crypto Hardware:

correct, I also ticked that box after upgrading to 21.02 and rebooted.
After that one of my three IPSEC-tunnels did come up but didn't transport data = no ping, nothing, although the IPSEC SA was up etc

Disabling that hw crypto (+ reboot) made it work again.

Try using AESGCM for P2.

sgw

@marcos-ng said in SG-1100 Crypto Hardware:

@sgw said in SG-1100 Crypto Hardware:

correct, I also ticked that box after upgrading to 21.02 and rebooted.
After that one of my three IPSEC-tunnels did come up but didn't transport data = no ping, nothing, although the IPSEC SA was up etc

Disabling that hw crypto (+ reboot) made it work again.

Try using AESGCM for P2.

Tried that, but the one tunnel still doesn't work. As far as I understand the logs the other side does only offer AES. I mailed them now to adjust algorithms asap.

marcosm

@sgw The other option is to use MD5 as the hash algorithm, though I would recommend against if possible to avoid. AESGCM is the ideal workaround here. Best of luck.