AES-NI, is it supported yet?



  • I've only been able to find old threads on this topic. I'm looking into building a 1U with an E3-1230v3 in the hopes of utilizing aes-ni to push openvpn aes-256 traffic to at least 300Mbit/s. Is anyone successfully using aes-ni in pfsense? Even better, anyone using it in a VM with esxi or KVM (proxmox)?

    Thanks!



  • Yes, in ESXi 5.1u1 on an E3-1265L v2.


  • Rebel Alliance Developer Netgate

    It can help, somewhat, for OpenVPN 2.1 if you do not load the AES-NI kernel module. Counter-intuitive, but that's what the data shows so far. OpenSSL's AES-NI support seems to be better than FreeBSD's cryptodev support for AES-NI at this time. That will hopefully improve when it comes to FreeBSD 10. From what I hear there is work planned for it.

    See the recent thread on the pfSense mailing list about it. There was a lengthy discussion about the status.



  • @jimp:

    It can help, somewhat, for OpenVPN 2.1 if you do not load the AES-NI kernel module.

    Thanks for that info, jimp.

    Is that achieved simply by leaving the Crypto Hardware Acceleration set to "none" under System>Advanced Misc?


  • Rebel Alliance Developer Netgate

    That is correct. And if it was selected before, you will most likely need to reboot to make sure the module is unloaded properly.


Log in to reply