How to speed up IPSEC, hardware encryption devices????



  • Hi! Happy new year and merry christmas!

    Just set up site-to-site tunnel, all good and stable, but speed through tunnel is ~7-8 Mbps out of ~40 Mbps directly.
    My routers are like this:

    #1 side

    
    Copyright (c) 1992-2006 The FreeBSD Project.
    Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
            The Regents of the University of California. All rights reserved.
    FreeBSD 6.1-RELEASE-p10 #0: Sun Oct 29 01:06:20 UTC 2006
        sullrich@builder.livebsd.com:/usr/obj.pfSense/usr/src/sys/pfSense.6
    Timecounter "i8254" frequency 1193182 Hz quality 0
    CPU: Intel(R) Celeron(TM) CPU                1100MHz (1102.51-MHz 686-class CPU)
      Origin = "GenuineIntel"  Id = 0x6b1  Stepping = 1
      Features=0x383fbff <fpu,vme,de,pse,tsc,msr,pae,mce,cx8,apic,sep,mtrr,pge,mca,cmov,pat,pse36,mmx,fxsr,sse>real memory  = 528416768 (503 MB)
    avail memory = 507498496 (483 MB)
    ACPI APIC Table: <via601 awrdacpi="">
    ioapic0 <version 1.1=""> irqs 0-23 on motherboard
    wlan: mac acl policy registered
    kbd1 at kbdmux0
    ath_hal: 0.9.16.16 (AR5210, AR5211, AR5212, RF5111, RF5112, RF2413, RF5413)
    acpi0: <via601 msi="" acpi=""> on motherboard
    acpi0: Power Button (fixed)
    Timecounter "ACPI-safe" frequency 3579545 Hz quality 1000
    acpi_timer0: <24-bit timer at 3.579545MHz> port 0x4008-0x400b on acpi0
    cpu0: <acpi cpu=""> on acpi0
    acpi_button0: <power button=""> on acpi0
    acpi_button1: <sleep button=""> on acpi0
    pcib0: <acpi host-pci="" bridge=""> port 0xcf8-0xcff,0x4000-0x407f,0x4080-0x40ff,0x5000-0x500f,0x6000-0x607f on acpi0
    pci0: <acpi pci="" bus=""> on pcib0
    agp0: <via 8601="" (apollo="" promedia="" ple133ta)="" host="" to="" pci="" bridge=""> mem 0xd0000000-0xd3ffffff at device 0.0 on pci0
    pcib1: <pci-pci bridge=""> at device 1.0 on pci0
    pci1: <pci bus=""> on pcib1
    pci1: <display, vga=""> at device 0.0 (no driver attached)
    isab0: <pci-isa bridge=""> at device 7.0 on pci0
    isa0: <isa bus=""> on isab0
    atapci0: <via 82c686b="" udma100="" controller=""> port 0x1f0-0x1f7,0x3f6,0x170-0x177,0x376,0xc000-0xc00f at device 7.1 on pci0
    ata0: <ata 0="" channel=""> on atapci0
    ata1: <ata 1="" channel=""> on atapci0
    uhci0: <via 83c572="" usb="" controller=""> port 0xc400-0xc41f irq 5 at device 7.2 on pci0
    uhci0: [GIANT-LOCKED]
    usb0: <via 83c572="" usb="" controller=""> on uhci0
    usb0: USB revision 1.0
    uhub0: VIA UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
    uhub0: 2 ports with 2 removable, self powered
    uhci1: <via 83c572="" usb="" controller=""> port 0xc800-0xc81f irq 5 at device 7.3 on pci0
    uhci1: [GIANT-LOCKED]
    usb1: <via 83c572="" usb="" controller=""> on uhci1
    usb1: USB revision 1.0
    uhub1: VIA UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
    uhub1: 2 ports with 2 removable, self powered
    pci0: <old> at device 7.4 (no driver attached)
    pci0: <multimedia, audio=""> at device 7.5 (no driver attached)
    dc0: <davicom 10="" dm9102a="" 100basetx=""> port 0xdc00-0xdcff mem 0xd8000000-0xd80000ff irq 16 at device 8.0 on pci0
    miibus0: <mii bus=""> on dc0
    ukphy0: <generic ieee="" 802.3u="" media="" interface=""> on miibus0
    ukphy0:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
    dc0: Ethernet address: 00:08:a1:72:5b:30
    rl0: <realtek 10="" 8139="" 100basetx=""> port 0xe000-0xe0ff mem 0xd8001000-0xd80010ff irq 17 at device 9.0 on pci0
    miibus1: <mii bus=""> on rl0
    rlphy0: <realtek internal="" media="" interface=""> on miibus1
    rlphy0:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
    rl0: Ethernet address: 00:80:48:4b:f7:64
    rl1: <realtek 10="" 8139="" 100basetx=""> port 0xe400-0xe4ff mem 0xd8002000-0xd80020ff irq 18 at device 10.0 on pci0
    miibus2: <mii bus=""> on rl1
    rlphy1: <realtek internal="" media="" interface=""> on miibus2
    rlphy1:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
    rl1: Ethernet address: 00:80:48:4c:29:5d
    speaker0: <pc speaker=""> port 0x61 on acpi0
    fdc0: <floppy drive="" controller=""> port 0x3f0-0x3f5,0x3f7 irq 6 drq 2 on acpi0
    fdc0: [FAST]
    fd0: <1440-KB 3.5" drive> on fdc0 drive 0
    sio0: <16550A-compatible COM port> port 0x3f8-0x3ff irq 4 flags 0x10 on acpi0
    sio0: type 16550A
    sio1: <16550A-compatible COM port> port 0x2f8-0x2ff irq 3 on acpi0
    sio1: type 16550A
    ppc0: <standard parallel="" printer="" port=""> port 0x378-0x37f irq 7 on acpi0
    ppc0: Generic chipset (EPP/NIBBLE) in COMPATIBLE mode
    ppbus0: <parallel port="" bus=""> on ppc0
    lpt0: <printer> on ppbus0
    lpt0: Interrupt-driven port
    ppi0: <parallel i="" o=""> on ppbus0
    pmtimer0 on isa0
    orm0: <isa option="" roms=""> at iomem 0xc0000-0xcbfff,0xcc000-0xcffff on isa0
    atkbdc0: <keyboard controller="" (i8042)=""> at port 0x60,0x64 on isa0
    atkbd0: <at keyboard=""> irq 1 on atkbdc0
    kbd0 at atkbd0
    atkbd0: [GIANT-LOCKED]
    sc0: <system console=""> at flags 0x100 on isa0
    sc0: VGA <16 virtual consoles, flags=0x300>
    vga0: <generic isa="" vga=""> at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0
    Timecounter "TSC" frequency 1102506857 Hz quality 800
    Timecounters tick every 1.000 msec
    Fast IPsec: Initialized Security Association Processing.
    ad0: 76319MB <wdc wd800jb-00jjc0="" 05.01c05=""> at ata0-master UDMA100
    acd0: CDROM <gcr-8523b 1.01=""> at ata1-slave PIO4</gcr-8523b></wdc></generic></system></at></keyboard></isa></parallel></printer></parallel></standard></floppy></pc></realtek></mii></realtek></realtek></mii></realtek></generic></mii></davicom></multimedia,></old></via></via></via></via></ata></ata></via></isa></pci-isa></display,></pci></pci-pci></via></acpi></acpi></sleep></power></acpi></via601></version></via601></fpu,vme,de,pse,tsc,msr,pae,mce,cx8,apic,sep,mtrr,pge,mca,cmov,pat,pse36,mmx,fxsr,sse>
    

    #2 side

    
    Copyright (c) 1992-2006 The FreeBSD Project.
    Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
            The Regents of the University of California. All rights reserved.
    FreeBSD 6.1-RELEASE-p10 #0: Sun Oct 29 01:06:20 UTC 2006
        sullrich@builder.livebsd.com:/usr/obj.pfSense/usr/src/sys/pfSense.6
    Timecounter "i8254" frequency 1193182 Hz quality 0
    CPU: Intel(R) Pentium(R) 4 CPU 2.40GHz (2396.88-MHz 686-class CPU)
      Origin = "GenuineIntel"  Id = 0xf33  Stepping = 3
      Features=0xbfebfbff <fpu,vme,de,pse,tsc,msr,pae,mce,cx8,apic,sep,mtrr,pge,mca,cmov,pat,pse36,clflush,dts,acpi,mmx,fxsr,sse,sse2,ss,htt,tm,pbe>Features2=0x41d <sse3,rsvd2,mon,ds_cpl,cntx-id>real memory  = 527695872 (503 MB)
    avail memory = 506793984 (483 MB)
    ACPI APIC Table: <a m="" i ="" oemapic="">
    ioapic0: Changing APIC ID to 1
    ioapic0 <version 2.0="">irqs 0-23 on motherboard
    wlan: mac acl policy registered
    kbd1 at kbdmux0
    ath_hal: 0.9.16.16 (AR5210, AR5211, AR5212, RF5111, RF5112, RF2413, RF5413)
    acpi0:</version> </a><a m="" i="" oemrsdt=""> on motherboard
    acpi0: Power Button (fixed)
    Timecounter "ACPI-fast" frequency 3579545 Hz quality 1000
    acpi_timer0: <24-bit timer at 3.579545MHz> port 0x808-0x80b on acpi0
    cpu0: <acpi cpu=""> on acpi0
    acpi_throttle0: <acpi cpu="" throttling=""> on cpu0
    pcib0: <acpi host-pci="" bridge=""> port 0xcf8-0xcff on acpi0
    pci0: <acpi pci="" bus=""> on pcib0
    agp0: <intel 82865g="" (865g="" gmch)="" svga="" controller=""> port 0xec00-0xec07 mem 0xf0000000-0xf7ffffff,0xff280000-0xff2fffff irq 16 at device 2.0 on pci0
    agp0: detected 8060k stolen memory
    agp0: aperture size is 128M
    uhci0: <intel 82801eb="" (ich5)="" usb="" controller="" usb-a=""> port 0xdc00-0xdc1f irq 16 at device 29.0 on pci0
    uhci0: [GIANT-LOCKED]
    usb0: <intel 82801eb="" (ich5)="" usb="" controller="" usb-a=""> on uhci0
    usb0: USB revision 1.0
    uhub0: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
    uhub0: 2 ports with 2 removable, self powered
    uhci1: <intel 82801eb="" (ich5)="" usb="" controller="" usb-b=""> port 0xe000-0xe01f irq 19 at device 29.1 on pci0
    uhci1: [GIANT-LOCKED]
    usb1: <intel 82801eb="" (ich5)="" usb="" controller="" usb-b=""> on uhci1
    usb1: USB revision 1.0
    uhub1: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
    uhub1: 2 ports with 2 removable, self powered
    uhci2: <intel 82801eb="" (ich5)="" usb="" controller="" usb-c=""> port 0xe400-0xe41f irq 18 at device 29.2 on pci0
    uhci2: [GIANT-LOCKED]
    usb2: <intel 82801eb="" (ich5)="" usb="" controller="" usb-c=""> on uhci2
    usb2: USB revision 1.0
    uhub2: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
    uhub2: 2 ports with 2 removable, self powered
    uhci3: <intel 82801eb="" (ich5)="" usb="" controller="" usb-d=""> port 0xe800-0xe81f irq 16 at device 29.3 on pci0
    uhci3: [GIANT-LOCKED]
    usb3: <intel 82801eb="" (ich5)="" usb="" controller="" usb-d=""> on uhci3
    usb3: USB revision 1.0
    uhub3: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
    uhub3: 2 ports with 2 removable, self powered
    ehci0: <intel 82801eb="" r="" (ich5)="" usb="" 2.0="" controller=""> mem 0xff27fc00-0xff27ffff irq 23 at device 29.7 on pci0
    ehci0: [GIANT-LOCKED]
    usb4: EHCI version 1.0
    usb4: companion controllers, 2 ports each: usb0 usb1 usb2 usb3
    usb4: <intel 82801eb="" r="" (ich5)="" usb="" 2.0="" controller=""> on ehci0
    usb4: USB revision 2.0
    uhub4: Intel EHCI root hub, class 9/0, rev 2.00/1.00, addr 1
    uhub4: 8 ports with 8 removable, self powered
    pcib1: <acpi pci-pci="" bridge=""> at device 30.0 on pci0
    pci1: <acpi pci="" bus=""> on pcib1
    rl0: <realtek 10="" 8139="" 100basetx=""> port 0xb800-0xb8ff mem 0xff0ffc00-0xff0ffcff irq 20 at device 3.0 on pci1
    miibus0: <mii bus=""> on rl0
    rlphy0: <realtek internal="" media="" interface=""> on miibus0
    rlphy0:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
    rl0: Ethernet address: 00:00:21:fb:18:ab
    rl1: <realtek 10="" 8139="" 100basetx=""> port 0xb400-0xb4ff mem 0xff0ff800-0xff0ff8ff irq 22 at device 5.0 on pci1
    miibus1: <mii bus=""> on rl1
    rlphy1: <realtek internal="" media="" interface=""> on miibus1
    rlphy1:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
    rl1: Ethernet address: 00:19:66:37:19:07
    isab0: <pci-isa bridge=""> at device 31.0 on pci0
    isa0: <isa bus=""> on isab0
    atapci0: <intel ich5="" udma100="" controller=""> port 0x1f0-0x1f7,0x3f6,0x170-0x177,0x376,0xfc00-0xfc0f at device 31.1 on pci0
    ata0: <ata 0="" channel=""> on atapci0
    ata1: <ata 1="" channel=""> on atapci0
    pci0: <serial bus,="" smbus=""> at device 31.3 (no driver attached)
    pci0: <multimedia, audio=""> at device 31.5 (no driver attached)
    acpi_button0: <power button=""> on acpi0
    speaker0: <pc speaker=""> port 0x61 on acpi0
    fdc0: <floppy drive="" controller="" (fde)=""> port 0x3f0-0x3f5,0x3f7 irq 6 drq 2 on acpi0
    fdc0: [FAST]
    fd0: <1440-KB 3.5" drive> on fdc0 drive 0
    ppc0: <ecp parallel="" printer="" port=""> port 0x378-0x37f,0x778-0x77b irq 7 drq 3 on acpi0
    ppc0: SMC-like chipset (ECP/EPP/PS2/NIBBLE) in COMPATIBLE mode
    ppc0: FIFO with 16/16/9 bytes threshold
    ppbus0: <parallel port="" bus=""> on ppc0
    lpt0: <printer> on ppbus0
    lpt0: Interrupt-driven port
    ppi0: <parallel i="" o=""> on ppbus0
    sio0: <16550A-compatible COM port> port 0x3f8-0x3ff irq 4 flags 0x10 on acpi0
    sio0: type 16550A
    pmtimer0 on isa0
    orm0: <isa option="" rom=""> at iomem 0xc0000-0xc9fff on isa0
    atkbdc0: <keyboard controller="" (i8042)=""> at port 0x60,0x64 on isa0
    atkbd0: <at keyboard=""> irq 1 on atkbdc0
    kbd0 at atkbd0
    atkbd0: [GIANT-LOCKED]
    sc0: <system console=""> at flags 0x100 on isa0
    sc0: VGA <16 virtual consoles, flags=0x300>
    sio1: configured irq 3 not in bitmap of probed irqs 0
    sio1: port may not be enabled
    vga0: <generic isa="" vga=""> at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0
    Timecounter "TSC" frequency 2396877174 Hz quality 800
    Timecounters tick every 1.000 msec
    Fast IPsec: Initialized Security Association Processing.
    ad1: 76319MB <seagate st3802110a="" 3.aaj=""> at ata0-slave UDMA100
    acd0: CDROM <hl-dt-st cd-rom="" gcr-8520b="" 1.00=""> at ata1-slave PIO4</hl-dt-st></seagate></generic></system></at></keyboard></isa></parallel></printer></parallel></ecp></floppy></pc></power></multimedia,></serial></ata></ata></intel></isa></pci-isa></realtek></mii></realtek></realtek></mii></realtek></acpi></acpi></intel></intel></intel></intel></intel></intel></intel></intel></intel></intel></intel></acpi></acpi></acpi></acpi></a></sse3,rsvd2,mon,ds_cpl,cntx-id></fpu,vme,de,pse,tsc,msr,pae,mce,cx8,apic,sep,mtrr,pge,mca,cmov,pat,pse36,clflush,dts,acpi,mmx,fxsr,sse,sse2,ss,htt,tm,pbe>
    ``` <a m="" i="" oemrsdt="">Pfsense ver is 1.0.1
    
    So what can i actually do to speed up performance of my ipsec tunnel? Can i tweak "software" with existing hardware configuration, or should i install some special network cards with cryptographic support, or just a crypto card? What cryptographic equipment pfsense actually supports? And can i turn encryption for tunnel off at all in Pfsense?
    
    Thanks in advance,
    Anton</a>


  • First, you might have better luck with a more recent build, like 1.2RC3
    Second, the IPSec config would have been handy instead of the bootup output.
    I've had good luck using a Hifn board like this http://www.soekris.com/vpn1401.htm
    There are other supported accelerators, check the FreeBSD HCL, but the HiFn cards seem to be well tested and supported.



  • Thanks for reply, but for some odd reason i had problems installing 1.2RC2. I had problems with 1.0.1 as well, but, solved it using boot troubleshoot howto. Ok, i will try 1.2rc3, if you think it will help. 7 mbits are good for me though, just want everything to be fast and perfect ;-)



  • And last question! Is it possible to switch encryption for tunnel off?? I send nothing really special through it. And here is my config from one side:

    
     <pfsense><version>2.3</version>
    	 <lastchange><theme>pfsense</theme>
    	 <system><optimization>normal</optimization>
    		<hostname>kenny</hostname>
    		<domain>local</domain>
    		<username>admin</username>
    		<password>123456789</password>
    		<timezone>Etc/UTC</timezone>
    		 <time-update-interval><timeservers>pool.ntp.org</timeservers>
    		 <webgui><protocol>http</protocol>
    			 <certificate><private-key></private-key></certificate></webgui> 
    		<disablenatreflection>yes</disablenatreflection>
    		<enablesshd>yes</enablesshd>
    
    		 <maximumstates><dnsserver>213.142.214.1</dnsserver>
    		 <dnsallowoverride></dnsallowoverride></maximumstates></time-update-interval></system> 
    	 <interfaces><lan><if>rl0</if>
    			<ipaddr>192.168.1.1</ipaddr>
    			<subnet>24</subnet>
    			 <media><mediaopt><bandwidth>100</bandwidth>
    			<bandwidthtype>Mb</bandwidthtype></mediaopt></media></lan> 
    		 <wan><if>rl1</if>
    			 <mtu><media><mediaopt><bandwidth>100</bandwidth>
    			<bandwidthtype>Mb</bandwidthtype>
    			 <spoofmac><disableftpproxy><ipaddr>192.170.1.2</ipaddr>
    			<subnet>24</subnet>
    			<gateway>192.170.1.1</gateway></disableftpproxy></spoofmac></mediaopt></media></mtu></wan></interfaces> 
    	 <staticroutes><pppoe><pptp><bigpond><dyndns><type>dyndns</type>
    		 <username><password></password></username></dyndns> 
    	 <dhcpd><lan><enable><range><from>192.168.1.100</from>
    				<to>192.168.1.199</to></range></enable></lan></dhcpd> 
    	 <pptpd><mode><redir><localip></localip></redir></mode></pptpd> 
    	 <ovpn><dnsmasq><enable></enable></dnsmasq> 
    	 <snmpd><syslocation><syscontact><rocommunity>public</rocommunity></syscontact></syslocation></snmpd> 
    	 <diag><ipv6nat></ipv6nat></diag> 
    	 <bridge><syslog><nentries>50</nentries>
    		 <nologdefaultblock></nologdefaultblock></syslog> 
    	 <nat><ipsecpassthru><advancedoutbound><rule><source>
    					<network>192.168.1.0/24</network>
    
    				 <sourceport><descr>Auto created rule for LAN</descr>
    				 <target><interface>wan</interface>
    				 <destination><any></any></destination> 
    				 <natport></natport></target></sourceport></rule> 
    			 <enable></enable></advancedoutbound></ipsecpassthru></nat> 
    	 <filter><rule><type>pass</type>
    			<interface>wan</interface>
    			 <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    			 <os><source>
    
    <address>10.7.3.115</address>
    
    			 <destination><any></any></destination> 
    			 <log><descr>Allow All from raduga</descr></log></os></statetimeout></max-src-states></max-src-nodes></rule> 
    		 <rule><type>pass</type>
    			<interface>lan</interface>
    			 <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    			 <os><source>
    
    <address>Administartor</address>
    
    			 <destination><any></any></destination> 
    			 <log><descr>Allow For Administrator</descr></log></os></statetimeout></max-src-states></max-src-nodes></rule> 
    		 <rule><type>pass</type>
    			<interface>lan</interface>
    			 <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    
    			<source>
    
    <address>Managers</address>
    
    			 <destination><any></any></destination> 
    			 <log><descr>Allow For ManagerELena</descr></log></statetimeout></max-src-states></max-src-nodes></rule> 
    		 <rule><type>pass</type>
    			<interface>lan</interface>
    			 <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    			 <os><source>
    
    <address>Bank</address>
    
    			 <destination><any></any></destination> 
    			 <log><descr>Allow For Banking Terminal</descr></log></os></statetimeout></max-src-states></max-src-nodes></rule> 
    		 <rule><type>pass</type>
    			<interface>lan</interface>
    			 <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    			 <os><source>
    
    <address>Operator</address>
    
    			 <destination><any></any></destination> 
    			 <log><descr>Allow For Operator</descr></log></os></statetimeout></max-src-states></max-src-nodes></rule> 
    		 <rule><type>pass</type>
    			<interface>lan</interface>
    			 <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    			 <os><source>
    
    <address>Direktor</address>
    
    			 <destination><any></any></destination> 
    			 <log><descr>Allow For Direktor</descr></log></os></statetimeout></max-src-states></max-src-nodes></rule> 
    		 <rule><type>block</type>
    			<interface>lan</interface>
    			 <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    			 <os><source>
    				<network>lan</network>
    
    			 <destination><any></any></destination> 
    			<descr>DISABLE ALL</descr></os></statetimeout></max-src-states></max-src-nodes></rule></filter> 
    	 <ipsec><preferredoldsa><mobileclients><p1><mode>aggressive</mode>
    				 <myident><myaddress></myaddress></myident> 
    				<encryption-algorithm>3des</encryption-algorithm>
    				<hash-algorithm>sha1</hash-algorithm>
    				<dhgroup>2</dhgroup>
    				<lifetime>1200</lifetime>
    				 <private-key><cert><authentication_method>pre_shared_key</authentication_method></cert></private-key></p1> 
    			 <p2><protocol>esp</protocol>
    				<encryption-algorithm-option>3des</encryption-algorithm-option>
    				<encryption-algorithm-option>blowfish</encryption-algorithm-option>
    				<hash-algorithm-option>hmac_sha1</hash-algorithm-option>
    				<hash-algorithm-option>hmac_md5</hash-algorithm-option>
    				<pfsgroup>0</pfsgroup>
    				<lifetime>1200</lifetime></p2></mobileclients> 
    		 <mobilekey><ident>gamesmaster@mail.ru</ident>
    			<pre-shared-key>gbplfceifvb</pre-shared-key></mobilekey> 
    		 <tunnel><interface>wan</interface>
    			 <local-subnet><network>lan</network></local-subnet> 
    			<remote-subnet>192.168.2.0/24</remote-subnet>
    			<remote-gateway>10.7.3.115</remote-gateway>
    			 <p1><mode>aggressive</mode>
    				 <myident><ufqdn>gamesmaster@mail.ru</ufqdn></myident> 
    				<encryption-algorithm>blowfish</encryption-algorithm>
    				<hash-algorithm>sha1</hash-algorithm>
    				<dhgroup>1</dhgroup>
    				<lifetime>86400</lifetime>
    				<pre-shared-key>gbplfceifvb</pre-shared-key>
    				 <private-key><cert><peercert><authentication_method>pre_shared_key</authentication_method></peercert></cert></private-key></p1> 
    			 <p2><protocol>esp</protocol>
    				<encryption-algorithm-option>blowfish</encryption-algorithm-option>
    				<hash-algorithm-option>hmac_sha1</hash-algorithm-option>
    				<pfsgroup>0</pfsgroup>
    				<lifetime>86400</lifetime></p2> 
    			<descr>DrugbaToRadugaGW</descr></tunnel> 
    		 <tunnel><disabled><interface>wan</interface>
    			 <local-subnet><address>192.168.1.0/24</address></local-subnet> 
    			<remote-subnet>192.168.3.0/24</remote-subnet>
    			<remote-gateway>10.1.1.1</remote-gateway>
    			 <p1><mode>aggressive</mode>
    				 <myident><myaddress></myaddress></myident> 
    				<encryption-algorithm>3des</encryption-algorithm>
    				<hash-algorithm>sha1</hash-algorithm>
    				<dhgroup>2</dhgroup>
    				<lifetime>86400</lifetime>
    				<pre-shared-key>gbplfceifvb</pre-shared-key>
    				 <private-key><cert><peercert><authentication_method>pre_shared_key</authentication_method></peercert></cert></private-key></p1> 
    			 <p2><protocol>esp</protocol>
    				<encryption-algorithm-option>3des</encryption-algorithm-option>
    				<encryption-algorithm-option>blowfish</encryption-algorithm-option>
    				<encryption-algorithm-option>cast128</encryption-algorithm-option>
    				<encryption-algorithm-option>rijndael</encryption-algorithm-option>
    				<encryption-algorithm-option>rijndael 256</encryption-algorithm-option>
    				<hash-algorithm-option>hmac_sha1</hash-algorithm-option>
    				<hash-algorithm-option>hmac_md5</hash-algorithm-option>
    				<pfsgroup>0</pfsgroup>
    				<lifetime>86400</lifetime></p2> 
    			<descr>TunDrugbaRomashka5(denied until set up server in romashka)</descr></disabled></tunnel> 
    		 <enable></enable></preferredoldsa></ipsec> 
    	 <aliases><alias><name>Administartor</name>
    
    <address>192.168.1.3</address>
    
    			<descr>Administrator computer</descr></alias> 
    		 <alias><name>Bank</name>
    
    <address>192.168.1.6</address>
    
    			<descr>Banking terminal machine</descr></alias> 
    		 <alias><name>Direktor</name>
    
    <address>192.168.1.186</address>
    
    			<descr>Directors computer</descr></alias> 
    		 <alias><name>Managers</name>
    
    <address>192.168.1.219 192.168.1.42 192.168.1.43 192.168.1.46</address>
    
    			<descr>Managers group</descr></alias> 
    		 <alias><name>Operator</name>
    
    <address>192.168.1.31</address>
    
    			<descr>Operators computer</descr></alias></aliases> 
    	 <proxyarp><wol><installedpackages><revision><description>/firewall_rules_edit.php made unknown change</description>
    		<time>1199782773</time></revision> 
    	 <virtualip></virtualip></installedpackages></wol></proxyarp></bridge></ovpn></bigpond></pptp></pppoe></staticroutes></lastchange></pfsense> 
    
    


  • Add an encryption card. With that 1.1 ghz celeron I would bet that the processor is at 100% at 7-8 mb/s.

    These work well with pfsense and are pretty cheap.

    http://soekris.com/vpn1401.htm



  • Hi,

    So if you just drop one of those VPN1401 cards into your machine, will it just pick up and use if for all IPSEC encryption, or does there need to be some configuration / re-installation for it to use it?

    Regards

    Ben



  • Just drop it in and it works. Assuming you have your tunnel using supported encryption. Per the note on the IPSec page: 'Hint: 'use 3DES for best compatibility or if you have a hardware crypto accelerator card.'
    You should see it listed on the system page:




  • Well… I've seen a note, but i couldnt find any 3des encryption cards in Russia unfortunately.... :-( Actually i just installed rc3, and will check speed up.

    UUUUFFF, you are so lucky having hifn card  >:(


Log in to reply