AES-NI, is it supported yet?

diablo266

I've only been able to find old threads on this topic. I'm looking into building a 1U with an E3-1230v3 in the hopes of utilizing aes-ni to push openvpn aes-256 traffic to at least 300Mbit/s. Is anyone successfully using aes-ni in pfsense? Even better, anyone using it in a VM with esxi or KVM (proxmox)?

Thanks!

biggsy

Yes, in ESXi 5.1u1 on an E3-1265L v2.

jimp

It can help, somewhat, for OpenVPN 2.1 if you do not load the AES-NI kernel module. Counter-intuitive, but that's what the data shows so far. OpenSSL's AES-NI support seems to be better than FreeBSD's cryptodev support for AES-NI at this time. That will hopefully improve when it comes to FreeBSD 10. From what I hear there is work planned for it.

See the recent thread on the pfSense mailing list about it. There was a lengthy discussion about the status.

biggsy

@jimp:

It can help, somewhat, for OpenVPN 2.1 if you do not load the AES-NI kernel module.

Thanks for that info, jimp.

Is that achieved simply by leaving the Crypto Hardware Acceleration set to "none" under System>Advanced Misc?

jimp

That is correct. And if it was selected before, you will most likely need to reboot to make sure the module is unloaded properly.