On Nov 6, 2013, at 8:06 AM, Thinker Rix <thinke...@rocketmail.com> wrote:
> On 2013-11-06 15:29, Jim Thompson wrote: >>> On Nov 6, 2013, at 7:22, Vick Khera <vi...@khera.org> wrote: >>> >>> pfSense lists the AES-NI as a supported option for crypto acceleration. >>> pfSense will use it for OpenVPN and IPsec if you tell it to. There's a >>> config setting for it. >> I'm not aware if any performance testing for AES-NI on pfSense. >> >> There are reports that FreeBSD doesn't support AES-NI very well. > > Thank you for this information, Jim. So I figure, that buying the Xeon just > for it's AES functions would (currently) be a waste of money. I can’t answer this, because I’ve not tested it. I know that the linux kernel, and openbsd both take full advantage of AES-NI instructions. http://ibatanov.blogspot.com/2012/04/ipsec-performance-benchmarking-is-end.html http://comments.gmane.org/gmane.os.openbsd.misc/199639 I know there is an implementation of AES-NI for cryptdev, but **I HAVE NOT TESTED IT (nor has anyone else on the pfSense team, AFAIK). There seems to be an issue: http://forum.pfsense.org/index.php/topic,54008.30.html http://lists.freebsd.org/pipermail/freebsd-hackers/2012-May/038762.html In the meantime, it might be possible to use OpenVPN with a patched openssl library to achieve the results you desire (but now you’re off into DIY land.) https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux That all said, we will find and fix the issue at some point. (I’m actually in San Jose for the FreeBSD Vendor Summit, and plan to bring it up as a potential issue.) Jim _______________________________________________ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
