AES-NI and OpenVPN?

N8LBV · Apr 29, 2023, 6:15 PM

@stephenw10 Thanks! excellent clarifcations.
-Steve

N8LBV · Apr 29, 2023, 6:18 PM

Laptop single nic OpenVPN HTTP throughput test.
35Watt Laptop CPU from Jan 2009. NO-AES-NI.

Intel Core2 Duo Processor T6400
2M Cache, 2.00 GHz, 800 MHz FSB

N8LBV · Apr 29, 2023, 6:26 PM

Same test through dual NAT no OpenVPN.
That early 2009 laptop (running PFsense) has a Broadcom NIC on the mainboard.

RobbieTT · Apr 29, 2023, 6:43 PM

@stephenw10 said in AES-NI and OpenVPN?:

The line in the system information widget currently shows if the CPU is reporting it supports AES-NI. It shows as active if the kernel module is loaded.

Just out of curiosity, why would the kernel module not be loaded?

️

JimBob Indiana · Apr 29, 2023, 7:25 PM

@robbiett Good question. Mine since I can remember said “Inactive”. I played with the VPN configuration options yesterday and today, says “Active”.

I didn’t actually do a VPN.

CPU Type Intel(R) Core(TM) i7-4790 CPU @ 3.60GHz
Current: 2800 MHz, Max: 3601 MHz
8 CPUs: 1 package(s) x 4 core(s) x 2 hardware threads
AES-NI CPU Crypto: Yes (active)
QAT Crypto: No
Hardware crypto AES-CBC,AES-CCM,AES-GCM,AES-ICM,AES-XTS

RobbieTT · Apr 29, 2023, 8:03 PM

@jimbob-indiana I had presumed (and we all know where assumptions lead) was that QAT was being preferred* over AES-NI; now I am not so sure.

️

*As it is rather excellent

Dobby_ · Apr 30, 2023, 9:36 AM

@robbiett

please have a look at the Intel QAT, because this is loaded instead of the AES-NI!!!! You can use AES-NI or Intel QAT
but not both!

Dobby_ · Apr 30, 2023, 3:34 PM

@jimbob-indiana said in AES-NI and OpenVPN?:

Good question. Mine since I can remember said “Inactive”. I played with the VPN configuration options yesterday and today, says “Active”.

Mine fresh installed says "active" too!
You can see with no configured VPN actual!

RobbieTT · Apr 30, 2023, 9:36 AM

@dobby_ said in AES-NI and OpenVPN?:

@robbiett

please have a look at the Intel QAT, because this is loaded instead of the AES-NI!!!! You can use AES-NI or Intel QAT
but not both!

Err, I did.

I literally stated my assumption that QAT was preferred over AES-NI and the graphic showing QAT (active) & AES-NI (inactive) is my own (!!!!...?).

JimBob Indiana · Apr 30, 2023, 3:34 PM

@dobby_ I have no idea why mine said Inactive and now says Active. All I did was mess with the vpn stuff just to see what is required.

Dobby_ · Apr 30, 2023, 5:58 PM

@jimbob-indiana said in AES-NI and OpenVPN?:

@dobby_ I have no idea why mine said Inactive and now says Active. All I did was mess with the vpn stuff just to see what is required.

I was only changing the settings in the filed shown below
in the picture (red arrow), after that the AES-NI was shown
permanent as "active" and this also with no configured VPN! I was choosing both entries from the menue:
AES-NI & CryptoDev

So I think since that, the CryptoDev is taking contact to the
AES-NI and there fore it will be announced as "active".

stephenw10 · Apr 30, 2023, 7:49 PM

The active/inactive label only indicates whether or not the module is loaded. Not whether it's actually in use.

Technically you could load both modules but since both would attempt to register for the same crypto algorithms the result would be confusing. So the webgui only offers the choice to load one of them.

RobbieTT · May 1, 2023, 12:01 PM

@stephenw10 Hey, an assumption turned out right! My journey into full pfSense nirvana continues.