On 2013-11-06 15:22, Vick Khera wrote:
On Wed, Nov 6, 2013 at 12:53 AM, Thinker Rix <thinke...@rocketmail.com
<mailto:thinke...@rocketmail.com>> wrote:
Would pfSense use this CPU instructions so to
hardware-encrypt/decrypt all VPN traffic (openVPN)?
Woud pfSense benefit from this in any other way, too?
pfSense lists the AES-NI as a supported option for crypto
acceleration. pfSense will use it for OpenVPN and IPsec if you tell
it to. There's a config setting for it.
As to your question of is it worth the cost, that depends on how much
VPN traffic you have. The Xeon will handle a damn lot of traffic all
on its own. If you are pushing more than 40Mbps on the VPN, then
perhaps consider the extra cost. If it is low, like under 5 or 10Mbps,
then I'd probably suggest that it is not worth the cost.
As a reference, between my data center and my primary office, I have
an IPsec tunnel. The office runs on an old Intel 32-bit Pentium 4
2.4GHz dual core server. The data center runs on Intel Xeon E31220L @
2.20GHz quad-core. Neither one has any built-in cryptodev supported
devices. The IPsec tunnel maxes out at about 20Mbps during large file
backups. I don't think it would go any faster with hardware
acceleration, and the load on these boxes hovers around 0 still. The
data center firewall is also busy pushing over 100Mpbs of regular
traffic to hundreds of clients as well.
Hi Vick,
Thank you for your reference, it is very valuable for me!
I guess I will go with a Pentium (Ivy Bridge) 2x 3.0 GHz CPU.
What do you think is the reason for your VPN traffic maxing out at
20Mpbs (I assume that your connection is not the traffic bottle neck,
right?), although your CPUs are almost idle?
Best regards
Thinker Rix
_______________________________________________
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list