Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Using AES-NI Recommended setup?

    IPsec
    2
    3
    1530
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kapara last edited by

      Getting ready to deploy IPSEC VPN between 2 pfsense firewalls running 2.2.6 and want to take advantage of the AES-NI feature but I am hard pressed to find a tutorial or recommended options for phase 1 and phase 2 for encryption algorithm and hash algorithm, DH Key, lifetime…etc

      Any suggestions would be much appreciated.  I have 1 Gigabit link between the 2 sites.  no PPPOE

      1 is a 2758 Supermicro with 8GB ram
      2 is Hyper-V running virtual pfSense

      Both have AES-NI on them.

      1 Reply Last reply Reply Quote 0
      • K
        kapara last edited by

        due to my innability to patiently wait  ;D…...

        I tried doing a setup with the following on both:

        P1: AES128-GCM (128 bits) and SHA256

        P2:  AES128-GCM (128 bits) and SHA256

        Transferring a 500mb file I could not get over 30Mbit in either direction.

        Both locations when performing speed test to internet are in excess of 700mbit for both upload and download.

        Should I modify the settings for P1 and P2?

        1 Reply Last reply Reply Quote 0
        • L
          laped last edited by

          You can test in both ends if AES-NI is enabled by using openssl like in the following link.

          https://calomel.org/aesni_ssl_performance.html

          You also needs to enable AES-NI in pfsense in the system->advanced "cryptographic hardware acceleration" settings somewhere and reboot the unit.

          Maybe the hyper-v isn't passing the AES-NI feature to its host so you can also check that. We had some issues getting hyper-v to work with AES-NI both after some updates and random luck we got it working but i can't guide you on what we did :D.

          IKeV2 AES128-GCM or AES256-GCM for both P1 and P2 should be fine (until they mistakenly removes GCM option in P1 in pfsense 2.3 again :/ )

          1 Reply Last reply Reply Quote 0
          • First post
            Last post

          Products

          • Platform Overview
          • TNSR
          • pfSense
          • Appliances

          Services

          • Training
          • Professional Services

          Support

          • Subscription Plans
          • Contact Support
          • Product Lifecycle
          • Documentation

          News

          • Media Coverage
          • Press
          • Events

          Resources

          • Blog
          • FAQ
          • Find a Partner
          • Resource Library
          • Security Information

          Company

          • About Us
          • Careers
          • Partners
          • Contact Us
          • Legal
          Our Mission

          We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

          Subscribe to our Newsletter

          Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

          © 2021 Rubicon Communications, LLC | Privacy Policy