Encryption offload card or new systems?

  • Hi Forum!

    I have a pair of Dell PowerEdge R610s in HA config at one of my corporate sites. They are running Intel Xeon (Nehalem) L5520 processors, which do not support AES-NI. We have IPSec tunnels to 6 other sites. They usually only push a few megs of traffic, but occasionally, we see uploads from one site to another hit 200-300Mbps. Unfortunately, we've had a few tunnel crashes recently, which seem to be coinciding with high IPsec usage.

    Is it worth finding hardware offload cards to handle the encryption, or should we just go with new boxes that support AES-NI? My challenge with the official NetGate hardware is that none of them seem to support dual power supplies, which is a requirement for all of our critical gear (we dual cord everything to separate PDUs on separate UPS units). So, if we find new hardware, we'll probably be looking at newer 13th or 14th gen PowerEdge gear which requires a budget exception to order.

    As a stopgap, is there a more efficient, moderately less secure algorithm than AES256 which might prevent crashes?

    Thanks for your feedback.

  • Netgate Administrator

    It's not worth putting a hardware crypto card in there. At least none that I'm aware of. Card that might actually be effecttive there are not supported in FreeBSD/pfSense.
    However it does look like those boxes support 5600 Xeons that do have AES-NI so that might be an option for you. That's based on a brief Google, more research needed!

    10 year old hardware though, if it's crashing at all it might be time to replace it.
    Edit: Those 5600 Xeons are very cheap now though, probably worth throwing some in there as a test.


Log in to reply