SafeNet SafeXcel 1141



  • Hello All,

    I have followed the thread on installing pfSense onto the Watchguard Firebox x### units in its entirety. From what I have been able to see the SafeNet VPN accelerator mini-pci card is at least detected in pfSense-1.2.3-RELEASE , but does not actually get the driver to make it function properly?

    Just curious if anyone has ventured into this any deeper? Made any throughput tests via a VPN with and without the accelerator card in place? Reason I am asking I have gotten an WatchGuard FB x500 that I am going to do an pfSense install onto to see how things goes.

    It would be somewhat of a plus if the SafeNet card does provide some extra horsepower,as our school is going to go to ALL ip phones and two other remote buildings are connected to the "main" building via VPN's.
    I currently have 3 cast off servers at each building running pfSense-1.2.3-RELEASE  but would like to get two more fireboxes to get them into the rack at each building for one thing.
    The three pfSense boxes are working flawlessly by the way.!

    If anyone has done any actual testing with the SafeNet cards with iperf or something similar between endpoints I would like to hear about your findings.

    Thanks,
    Barry



  • @brcisna:

    From what I have been able to see the SafeNet VPN accelerator mini-pci card is at least detected in pfSense-1.2.3-RELEASE , but does not actually get the driver to make it function properly?

    Please provide the startup output (from shell command dmesg) or the relevant part concerning the safenet and I'll tell you if the driver is present.


  • Netgate Administrator

    As far as I can see the Safenet 1141 is fully supported by the safe(4) driver and the bootup seems to support that:

    safe0 mem 0xe7bfe000-0xe7bfffff irq 3 at device 6.0 on pci2
    safe0: [ITHREAD]
    safe0: SafeNet SafeXcel-1141 rng des/3des aes md5 sha1 null
    
    


  • @stephenw10:

    As far as I can see the Safenet 1141 is fully supported by the safe(4) driver and the bootup seems to support that:

    I agree, so perhaps the issue is whether something needs to be done to get the appropriate VPN code to use the card? Or maybe, whether there is anything to be gained on this particular platform from using the crypto card vs encryption purely in software.


  • Netgate Administrator

    As long as you are using one of the supported encryptions I don't think you need to do anything. It will be used by freebsd automagically!  ;D
    Certainly on the Watchguard X-Core, which is a P3 hardware, it makes a big difference. Not that I have tested though! ::)
    I'd love to get some Safenet 1841 support but it looks very unlikely.

    Steve



  • Hello All,

    Thank You to all that responded. I am going to start in on my initial install of pfSense-1.2.3-RELEASE on the x500 FB I have on Tuesday of this coming week. I will do some testing over VPN links with and without the vpn accelerator card with iperf/jperf and give a report.
    From the dmesg that was shown here by another poster  it appears the card is setup correctly,but who knows if it is actually providing any additional throughput, in the real world?…

    By the way. If anyone here is running Centos 5 I have made an rpm that installs jperf very easily. There is a readme at this url that explains how to setup jperf,in case you have never used it.
    JPerf is a frontend for iperf,of course.Very nice GUI,,,:)

    ftp://eazylivin.net/server/jperf/

    Thanks,
    Barry



  • Have you enabled engine cryptodev in OpenVPN?  Having the OS support it is one thing, getting the software to actually use it is another.  I'm not sure if the OCF for safe is actually in the current implementation of Ovpn though.


  • Netgate Administrator

    Hmm. As I understood it a virtual ctrypto device, cryptosoft0, is setup that handles all encryption/decryption duties in freebsd. If a hardware device exists it registers itself as the default device for whatever algorithms it supports. Anything else is still handled by the software device.
    As long as Openvpn is using the bsd crypto subsystem at all it should work.  ???

    Steve



  • Hrmm..  The thing is, you need to explicitly tell OpenVPN to use engine cryptodev if you have a Soekris VPN accelerator card and Padlock (VIA), GSXLB (AMD Geode) so on and so forth.
    I'm not sure how the pfSense build handles the crypto driver in the background but I do suppose entering engine cryptodev is worth a try if the safe driver is loaded.


  • Netgate Administrator

    Ah, well my knowledge was all gleaned from my efforts trying to enable the SafeXcell 1841, which ended in failure!
    Your's is obviously from real experience so I imagine you're right.  ::)

    Steve



  • Hello All,,,, again,

    Thanks again for the feedback! OK, at present I have our two remote buildings setup with IPSECvpn tunnels. Site to Site. . Am I right in assuming that there is no possibility of leveraging' the SafeNet card with IPSECvpn? I guess I need to do some more homework on this. If i can use the SafeNet cards to gain some consistency for VPN's I will try and setup the FB's ( once I get pfSense installed) with OPENvpn, rather than IPSECvpn,.

    Thanks,
    Barry


  • Rebel Alliance Developer Netgate

    IPsec should use any built in crypto accelerator automatically, so long as it hooks into the BSD crypto system as others have mentioned. It's only OpenVPN that requires a nudge in the config to use it.


Locked