VIA Padlock Hardware Crypto für IPSec



  • Servus!

    Mein VIA C7-D hat ja VIA Padlock onboard, welches ich gerne für IPSec nutzen möchte. Anhand der CPU-Auslastung und des Durchsatzes vermute ich das Padlock nicht genutzt wird.

    Ich habe auch mal ne Runde getestet:

    [2.0-RELEASE][root@pfsense.localdomain]/boot/modules(31): openssl speed -elapsed -evp aes128 -engine cryptodev
    engine "cryptodev" set.
    You have chosen to measure elapsed time instead of user CPU time.
    To get the most accurate results, try to run this
    program when this computer is idle.
    Doing aes-128-cbc for 3s on 16 size blocks: 789674 aes-128-cbc's in 3.00s
    Doing aes-128-cbc for 3s on 64 size blocks: 986427 aes-128-cbc's in 3.01s
    Doing aes-128-cbc for 3s on 256 size blocks: 909672 aes-128-cbc's in 3.01s
    Doing aes-128-cbc for 3s on 1024 size blocks: 654516 aes-128-cbc's in 3.01s
    Doing aes-128-cbc for 3s on 8192 size blocks: 124498 aes-128-cbc's in 3.01s
    OpenSSL 0.9.8n 24 Mar 2010
    built on: date not available
    options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) aes(partial) blowfish(idx)
    compiler: cc
    available timing options: USE_TOD HZ=128 [sysconf value]
    timing function used: gettimeofday
    The 'numbers' are in 1000s of bytes per second processed.
    type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
    aes-128-cbc       4205.63k    20976.12k    77370.13k   222675.38k   338788.64k

    [2.0-RELEASE][root@pfsense.localdomain]/boot/modules(51): openssl speed -elapsed -evp aes128 -engine padlock
    engine "padlock" set.
    You have chosen to measure elapsed time instead of user CPU time.
    To get the most accurate results, try to run this
    program when this computer is idle.
    Doing aes-128-cbc for 3s on 16 size blocks: 12252187 aes-128-cbc's in 3.01s
    Doing aes-128-cbc for 3s on 64 size blocks: 12904150 aes-128-cbc's in 3.01s
    Doing aes-128-cbc for 3s on 256 size blocks: 7637010 aes-128-cbc's in 3.01s
    Doing aes-128-cbc for 3s on 1024 size blocks: 2885193 aes-128-cbc's in 3.02s
    Doing aes-128-cbc for 3s on 8192 size blocks: 376539 aes-128-cbc's in 3.00s
    OpenSSL 0.9.8n 24 Mar 2010
    built on: date not available
    options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) aes(partial) blowfish(idx)
    compiler: cc
    available timing options: USE_TOD HZ=128 [sysconf value]
    timing function used: gettimeofday
    The 'numbers' are in 1000s of bytes per second processed.
    type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
    aes-128-cbc      65180.92k   274383.34k   649544.77k   978813.40k  1027706.80k

    Somit ist Padlock da, läuft auch aber halt anscheinend nicht mit IPSec. Ich habe IPSec auf AES gestellt.

    Syslog vermeldet

    kernel: padlock0: <aes-cbc,sha1,sha256>on motherboard und kernel: VIA Padlock Features=0xffcc<rng,aes,aes-ctr,sha1,sha256,rsa></rng,aes,aes-ctr,sha1,sha256,rsa></aes-cbc,sha1,sha256>

    Kann mir de jemand helfen? Für OpenVPN kann man die Hardware-Crypt nämlich gezielt auswählen.

    Danke!


Log in to reply