23.09.01 Hardware Crypto showing No Hardware Crypto Acceleration for system with crypto chip installed
-
Hello fellow Netgate community members can you please help[?
My Hardware Crypto is no longer showing up under OpenVPN configuration. My Netgate appliance was purchased with a crypto chip installed direct from Negate and it is no longer is being listing for OpenVPN use.
Should I open a TAC ticket??? I just completed firmware reinstall and it's not listed
Path --->23.05.01 new firmware -----> direct to update ----> loss of crypto acceleration.
I show my chip on the menu however OpenVPN can't see it
-
Does anyone else that uses this chip have this issue? Even with other models??? This system isn't even 3 years old
-
@JonathanLee said in 23.09.01 Hardware Crypto showing No Hardware Crypto Acceleration for system with crypto chip installed:
My Hardware Crypto is no longer showing up under OpenVPN configuration.
What do you mean by this?
OpenVPN uses hardware if it sees it : https://docs.netgate.com/pfsense/en/latest/hardware/cryptographic-accelerators.html#openvpn
Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
Upvote 👍 helpful posts! -
Thanks for the reply,
To provide clarity that was on 23.05.01
On 23.09.01 it does not see it now
-
@SteveITS said in 23.09.01 Hardware Crypto showing No Hardware Crypto Acceleration for system with crypto chip installed:
ttps://docs.netgate.com/pfsense/en/latest/hardware/cryptographic-accelerators.html#openvpn
I do have it active
-
@SteveITS should it still list it? Under 23.05.01 it would show the chip to select and use. Now it’s not listed
-
@JonathanLee I'm not clear what "it" is in your question?
a 2100 on 23.05.1:
Hardware crypto AES-CBC,AES-CCM,AES-GCM,AES-ICM,AES-XTS,SHA1,SHA256,SHA384,SHA512a 2100 on 23.09.1:
Hardware crypto AES-CBC, AES-CCM, AES-GCM, AES-ICM, AES-XTS, ChaCha20-Poly1305, SHA1, SHA256, SHA384, SHA512If you're talking about the Hardware Crypto dropdown in the OpenVPN settings I think it basically ignores that anyway?
https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/configure-server-crypto.html#hardware-crypto
"If available, this option controls which hardware cryptographic accelerator will be used by OpenVPN. When left unspecified, OpenVPN will choose automatically based on what is available in the operating system to accelerate ciphers OpenVPN wants to use.Some hardware acceleration, such as AES-NI, happens automatically in OpenVPN via OpenSSL and cannot be enabled or disabled by this option.
Note
In most common deployments this setting is unnecessary as the automatic behavior of OpenVPN is correct."Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
Upvote 👍 helpful posts! -
@SteveITS cool cool, maybe I was expecting fireworks or blinking leds or something, so I changed the firewall leds to be purple when the VPN state establishes, it helps me know when to not mess with it.
Thanks for the reply
-
@SteveITS the device id shows error in 23.09.01 and it didn’t in 23.05.01
-
J JonathanLee referenced this topic on
-
In 23.09.01
-
It shows nothing for me, with
DOC enabled or disabled
encryption with removed chacha and enabled chacha
IPsec-MB enabled or disabled23.09.01 I can't get it to run
-
In 23.05.01:
Chip working
Chip listed
Listed the chip
increments on use now shows 80My device was purchased direct from Netgate and contains the chip.
What should I do???
-
OpenSSL no longer supports the BSD cryptodev device as an 'engine'. Selecting it there does nothing so it was removed.
SafeXcel should still be used for kernel mode crypto though so if you have DCO enabled.
Steve
-
@stephenw10 I do have it enabled, though VM stat still shows no increments Or any status for the Chip what can be done to correct that? Thanks for the reply. Have a good day.
Just for clarification the new 2100s ship without a cypher chip? My version was the more expensive 2100MAX it came with a SSD and the cypher chip. Is it possible the updates repos do not know difference between the older 2100? and the new 2100s?
Like a hypothetical model 2100A and 2100B ????
If so how can I get my chip to work the speed is drastically different on VPN use with it enabled.
-
Try disabling iimb. That will try to register against many of the same ciphers.
-
@stephenw10 I did that same results dang. Please let me know if you find a advanced option for customers like me.
-
Do you actually see a reduction in throughput though? Or an increase in CPU usage?
-
@stephenw10 yes with use on 22.05.01.
-
Like throughput is lower in 23.09.1 compared to 23.05.1?
-
@stephenw10 let me test again hold on I turned 23.09.01 on again.
Nope it’s 130kbs with dsl on 23.09.01
It’s 123kb in 23.05.01Just checked with my pdfs again.
