Using AES-NI Recommended setup?
-
Getting ready to deploy IPSEC VPN between 2 pfsense firewalls running 2.2.6 and want to take advantage of the AES-NI feature but I am hard pressed to find a tutorial or recommended options for phase 1 and phase 2 for encryption algorithm and hash algorithm, DH Key, lifetime…etc
Any suggestions would be much appreciated. I have 1 Gigabit link between the 2 sites. no PPPOE
1 is a 2758 Supermicro with 8GB ram
2 is Hyper-V running virtual pfSenseBoth have AES-NI on them.
-
due to my innability to patiently wait ;D…...
I tried doing a setup with the following on both:
P1: AES128-GCM (128 bits) and SHA256
P2: AES128-GCM (128 bits) and SHA256
Transferring a 500mb file I could not get over 30Mbit in either direction.
Both locations when performing speed test to internet are in excess of 700mbit for both upload and download.
Should I modify the settings for P1 and P2?
-
You can test in both ends if AES-NI is enabled by using openssl like in the following link.
https://calomel.org/aesni_ssl_performance.html
You also needs to enable AES-NI in pfsense in the system->advanced "cryptographic hardware acceleration" settings somewhere and reboot the unit.
Maybe the hyper-v isn't passing the AES-NI feature to its host so you can also check that. We had some issues getting hyper-v to work with AES-NI both after some updates and random luck we got it working but i can't guide you on what we did :D.
IKeV2 AES128-GCM or AES256-GCM for both P1 and P2 should be fine (until they mistakenly removes GCM option in P1 in pfsense 2.3 again :/ )