AES-NI, is it supported yet?



  • I've only been able to find old threads on this topic. I'm looking into building a 1U with an E3-1230v3 in the hopes of utilizing aes-ni to push openvpn aes-256 traffic to at least 300Mbit/s. Is anyone successfully using aes-ni in pfsense? Even better, anyone using it in a VM with esxi or KVM (proxmox)?

    Thanks!



  • Yes, in ESXi 5.1u1 on an E3-1265L v2.


  • Rebel Alliance Developer Netgate

    It can help, somewhat, for OpenVPN 2.1 if you do not load the AES-NI kernel module. Counter-intuitive, but that's what the data shows so far. OpenSSL's AES-NI support seems to be better than FreeBSD's cryptodev support for AES-NI at this time. That will hopefully improve when it comes to FreeBSD 10. From what I hear there is work planned for it.

    See the recent thread on the pfSense mailing list about it. There was a lengthy discussion about the status.



  • @jimp:

    It can help, somewhat, for OpenVPN 2.1 if you do not load the AES-NI kernel module.

    Thanks for that info, jimp.

    Is that achieved simply by leaving the Crypto Hardware Acceleration set to "none" under System>Advanced Misc?


  • Rebel Alliance Developer Netgate

    That is correct. And if it was selected before, you will most likely need to reboot to make sure the module is unloaded properly.