Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Activating IPsec-MB Crypto

    Scheduled Pinned Locked Moved OpenVPN
    10 Posts 4 Posters 826 Views 4 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M Offline
      McMurphy
      last edited by

      The link below states OpenVPN benefits from IPSec-MB and AES-NI is an alterntive
      https://docs.netgate.com/pfsense/en/latest/hardware/cryptographic-accelerators.html#openvpn

      My Hardware shows it supports IPSec-MB however it is inactive.
      18.07.2024_08.36.53_REC.png

      In System => Advanced => Misc I do not have an option to activate IPSec-MB
      18.07.2024_08.38.31_REC.png

      I see the Option for QAT here even through the hardware shows it is not available.

      What is my best option to select here?

      S Z 2 Replies Last reply Reply Quote 0
      • S Offline
        SteveITS Rebel Alliance @McMurphy
        last edited by

        @McMurphy IIMB is the checkbox in your screenshot. :)

        There is a write up in this section:
        https://docs.netgate.com/pfsense/en/latest/config/advanced-misc.html#cryptographic-thermal-hardware
        “Best” depends on a few things for instance algorithm.

        Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to reboot, or more depending on packages, and device or disk speed.
        Upvote 👍 helpful posts!

        M T 2 Replies Last reply Reply Quote 0
        • M Offline
          McMurphy @SteveITS
          last edited by

          @SteveITS said in Activating IPsec-MB Crypto:

          IIMB is the checkbox in your screenshot. :)

          oh, that's a bit embarrassing :)

          Few more qns pls:

          1. Now I have IPSec-MB enabled what should be selected for crypto hardware?
          2. Should QAT be listed here if it is not an option for my hardware?
          3. When I enabled IPSec-MB do I need to restart pfSense for this to take effect?

          I am trying to improves the speeds to a site-site OVPN link. IPSec runs at approx 95Mbps whereas the best I can get form OVPN+DCO is 30Mbps

          S 1 Reply Last reply Reply Quote 0
          • S Offline
            SteveITS Rebel Alliance @McMurphy
            last edited by

            @McMurphy On https://docs.netgate.com/pfsense/en/latest/hardware/cryptographic-accelerators.html#supported-devices it says

            "QAT is ideal for use with IPsec and OpenVPN DCO. It is currently the fastest acceleration option for the algorithms it supports."

            Is this a Netgate model or your own hardware?

            I want to say if you enable QAT it might not say No anymore...I don't have one I can easily toggle though. I think it wouldn't be in the dropdown if it wasn't supported on the hardware.

            Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
            When upgrading, allow 10-15 minutes to reboot, or more depending on packages, and device or disk speed.
            Upvote 👍 helpful posts!

            M 1 Reply Last reply Reply Quote 0
            • M Offline
              McMurphy @SteveITS
              last edited by

              @SteveITS

              My own hardware.

              I did select QAT but it still shows as "No" on the dashboard so I guess it is not available.

              1 Reply Last reply Reply Quote 0
              • T Offline
                TheWaterbug @SteveITS
                last edited by

                @SteveITS said in Activating IPsec-MB Crypto:

                @McMurphy IIMB is the checkbox in your screenshot. :)

                I don't have this in my Misc section:

                0b28a602-4517-4ac2-8ba8-2d40c3f37104-image.png

                I'm running pfsense CE 2.6.0-RELEASE (amd64) on a Protectli FW4C:

                0065bbe6-871e-45c6-8c84-b81a8949ec08-image.png

                am I lacking hardware or a software update to enable this?

                I run S2S IPsec tunnels among 3 of these units, each connected by 1000/1000 fiber, so any improvement in throughput would be welcome!

                Thanks!

                S 1 Reply Last reply Reply Quote 0
                • S Offline
                  SteveITS Rebel Alliance @TheWaterbug
                  last edited by

                  @TheWaterbug It's a Plus feature.
                  https://docs.netgate.com/pfsense/en/latest/general/plus.html#intel-ipsec-multi-buffer-iimb-support

                  Also 2.6 is super old. When you get to 2.7.0 you'll probably need
                  https://docs.netgate.com/pfsense/en/latest/releases/2-7-1.html#troubleshooting

                  Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                  When upgrading, allow 10-15 minutes to reboot, or more depending on packages, and device or disk speed.
                  Upvote 👍 helpful posts!

                  T 1 Reply Last reply Reply Quote 0
                  • T Offline
                    TheWaterbug @SteveITS
                    last edited by

                    @SteveITS

                    Ugh. I'm not really thrilled about having to pay for Plus or TAC.

                    And I know I need to get off of 2.60, but there were lots of warnings about exactly what you linked, so I held off.

                    And now we're at 2.8x, aren't we?

                    Maybe I should buy another Protectli unit for testing.

                    S 1 Reply Last reply Reply Quote 0
                    • S Offline
                      SteveITS Rebel Alliance @TheWaterbug
                      last edited by

                      @TheWaterbug

                      warnings about exactly what you linked

                      FWIW that command’s any easy solution. After that there are plenty of System Patches updates, as normal. Well, we’re but 2.8 has them all.

                      Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                      When upgrading, allow 10-15 minutes to reboot, or more depending on packages, and device or disk speed.
                      Upvote 👍 helpful posts!

                      1 Reply Last reply Reply Quote 0
                      • Z Offline
                        Zermus @McMurphy
                        last edited by Zermus

                        @McMurphy Do you have an external BSD compatible cryptodev accelerator card or device outside of your AES-NI CPU? (These devices are extremely hard to find) If not why are you telling pfSense that you do? If you don't you should only use AES-NI CPU-based Acceleration only.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.