Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Using AES-NI Recommended setup?

    Scheduled Pinned Locked Moved IPsec
    3 Posts 2 Posters 1.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kapara
      last edited by

      Getting ready to deploy IPSEC VPN between 2 pfsense firewalls running 2.2.6 and want to take advantage of the AES-NI feature but I am hard pressed to find a tutorial or recommended options for phase 1 and phase 2 for encryption algorithm and hash algorithm, DH Key, lifetime…etc

      Any suggestions would be much appreciated.  I have 1 Gigabit link between the 2 sites.  no PPPOE

      1 is a 2758 Supermicro with 8GB ram
      2 is Hyper-V running virtual pfSense

      Both have AES-NI on them.

      Skype ID:  Marinhd

      1 Reply Last reply Reply Quote 0
      • K
        kapara
        last edited by

        due to my innability to patiently wait  ;D…...

        I tried doing a setup with the following on both:

        P1: AES128-GCM (128 bits) and SHA256

        P2:  AES128-GCM (128 bits) and SHA256

        Transferring a 500mb file I could not get over 30Mbit in either direction.

        Both locations when performing speed test to internet are in excess of 700mbit for both upload and download.

        Should I modify the settings for P1 and P2?

        Skype ID:  Marinhd

        1 Reply Last reply Reply Quote 0
        • L
          laped
          last edited by

          You can test in both ends if AES-NI is enabled by using openssl like in the following link.

          https://calomel.org/aesni_ssl_performance.html

          You also needs to enable AES-NI in pfsense in the system->advanced "cryptographic hardware acceleration" settings somewhere and reboot the unit.

          Maybe the hyper-v isn't passing the AES-NI feature to its host so you can also check that. We had some issues getting hyper-v to work with AES-NI both after some updates and random luck we got it working but i can't guide you on what we did :D.

          IKeV2 AES128-GCM or AES256-GCM for both P1 and P2 should be fine (until they mistakenly removes GCM option in P1 in pfsense 2.3 again :/ )

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.