OpenVPN recommended Data Encryption Algorithms when using SG-2100 appliance's crypto engine?

michmoor · Jan 11, 2024, 4:18 PM

@jimp
Ahh gotcha. Whats interesting is that IPsec MB works with chacha20.
In my use case it makes sense to actually enable MB as i get the best of both worlds - Support for both types of encryption (GCM/chacha) and the implicit support of WireGuard which QAT doesnt support (yet?!).
I need to do more testing but this is interesting.
For what its worth im testing on a 6100

jimp · Jan 11, 2024, 4:23 PM

@michmoor There are some newer QAT devices that support ChaCha but IIRC they are not yet widely available and even if they were, I don't think FreeBSD has drivers for them yet. But since IPsec-MB performs so well (and it really flies on the CPU in the 4200 with AVX2), there are even less reasons to lean on hardware QAT in the future for these sorts of roles.

But the hardware is always evolving, we try to keep on top of whatever is best as new things develop.

JonathanLee · Jan 11, 2024, 4:33 PM

@jimp I still can't get vmstat to show anything for OpenVPN on the SafeXcel chip use with IPsec-MB enabled, disabled ChaCha removed, added, DOC enabled, disabled, it shows this ID error.

Is there something I am doing wrong? I think you told me it should be automatically used but its showing nothing for use and this ID error when I connect. I created a different post for that as that is issues not related to this post.

dco_update_peer_stat: invalid peer ID 1 returned by kernel

https://forum.netgate.com/topic/185411/23-09-01-hardware-crypto-showing-no-hardware-crypto-acceleration-for-system-with-crypto-chip-installed/

I understand that it is automagic now but it still is having issues for my 2100 in 23.09.01

Thanks

michmoor · Jan 11, 2024, 4:37 PM

@jimp
Ive loaded IPsec MB, fresh reboot, and so far its about the same with QAT. Doesnt hurt to keep it enabled so i'll leave it.
We know that DCO takes the load off the CPU but i just want to share my monitoring graph. Can you tell when DCO was enabled? haha

michmoor · Jan 11, 2024, 4:45 PM

@jimp
Internet line is 500/500 but ATT Fiber does over-provision.
Here are the wireguard results with IPsec MB
Im not complaining.

jimp · Jan 11, 2024, 4:54 PM

@JonathanLee said in OpenVPN recommended Data Encryption Algorithms when using SG-2100 appliance's crypto engine?:

@jimp I still can't get vmstat to show anything for OpenVPN on the SafeXcel chip use with IPsec-MB enabled, disabled ChaCha removed, added, DOC enabled, disabled, it shows this ID error.

ARM is not like x86, not everything shows up like interrupts, IIRC there is no visible way to tell that SafeXcel is being used except by secondary observations (e.g. improved encryption throughput when enabled vs disabled or lower CPU usage when enabled vs disabled).

I'd keep that discussion going on your other thread since it's more relevant there. But if you can pass traffic, the error is probably not harmful. And you'll need to run performance tests with it enabled/disabled and measure at least CPU usage and throughput when testing. But again, do all that and post it in the other thread.

JonathanLee · Jan 11, 2024, 5:23 PM

@jimp thanks I got it to show logs I posted everything in the other forum.

Have a good one

JonathanLee · Nov 15, 2024, 3:58 PM

@jimp Quick Question I am learning that you should not enable both IPsec-MB and SafeXel at the same time, is this true? If so should I open a redmine so that it will not allow the GUI to enable both?

Per @kprovost "JonathanLee I mean, you can't use both at the same time. The data's only ever going to be processed by one of them. I'd have to go dig deep in the code to tell you how the selection is made if both are enabled, but it looks like in this case it ends up using IIMB.

IIMB is fine, but probably not quite as fast as SafeXcel. You're getting crypto acceleration either way, just in a different way."

Leading to if @kprovost has a bug fixe for crypto-graphic code set that OpenVPN uses and it looks like it was merged. So I am confused at this point.

Can we or can't we use both of them?

This was the bug fix he worked on. So I assume he is a reputable source to state you can't use both with OpenVPN.

This was the buffer bug fix
https://sourceforge.net/p/openvpn/mailman/message/58728397/
https://github.com/OpenVPN/openvpn/issues/487

Does anyone have clarity with what occurs when both are enabled?
When the GUI has both IP-sec and SafeXel marked active

kprovost · Nov 15, 2024, 3:59 PM

@JonathanLee Either one will work. Things will even work if you have both activated, but then only one of them will do the work. We're not going to be splitting the cryptographic work between the two, or doing it twice just so both will get used.

JonathanLee · Nov 15, 2024, 4:06 PM

@kprovost The speed difference is substantial with only having one enabled so much so I would say this would need a Redmine to only allow one to be selected at a time. Anyone else agree?