Update? SG-1100-crypto-hardware
-
Thanks!
-
Can pfsense use AES-128-CBC for an ipsec site to site VPN?
-
Yes.
-Rico
-
Thank you for the reply.
Sorry for the basic question but...
Under phase 2 proposal
Protocol: ESP
Encryption algorithm:
Selected AES
Selected 256 bits
Unselected all other protocols
Added Hash Algorithm SHA256By doing the above, will the VPN use the hardware acceleration AES-256-CBC? I am hesitant because CBC isn't mentioned anywhere.
Thank you for your help,
Devan
-
Nevermind, I saw in the log:
configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
Thank you again.
-
@stephenw10 said in Update? SG-1100-crypto-hardware:
Right now it supports only AES-128-CBC
This is still true. If you want to test the hardware crypto you can only use that currently.
Steve
-
Does the output of:
openssl engine -c -tIndicate which algorithms are hardware accelerated?
[2.4.5-RELEASE][admin@sg1100]/root: openssl engine -c -t (cryptodev) BSD cryptodev engine [RSA, DSA, DH, AES-128-CBC, AES-192-CBC, AES-256-CBC] [ available ] (rdrand) Intel RDRAND engine [RAND] [ available ] (dynamic) Dynamic engine loading support [ unavailable ] [2.4.5-RELEASE][admin@sg1100]/root:Thank you for clarifying,
Devan
-
It may register for more ciphers in the BSD cryptoframework but the code in the driver itself only supports AES-128-CBC.
I'm not sure how you appear to have the Intel Random Number device present on the SG-1100 there....
Steve
-
My error, wrong box.
SG-1100 properly:
[2.4.5-RELEASE][admin@pfSense.private.com]/root: openssl engine -c -t (cryptodev) BSD cryptodev engine [RSA, DSA, DH, AES-128-CBC, AES-192-CBC, AES-256-CBC] [ available ] (dynamic) Dynamic engine loading support [ unavailable ] [2.4.5-RELEASE][admin@pfSense.private.com]/root: -
Ah, good. That had me questioning everything!
But, yes, the driver can only actually accelerate AES-128-CBC.
Steve
