Even though the card is detected, I'm not seeing any boost in
IPsec performance.
I'm getting 10Mb/s using 3des. The raw speed (no ipsec) of the
link is around 25Mb/s. This measured with netstrain.
Here's what dmesg says -
hifn0 at pci0 dev 13 function 0 "Hifn 7955/7954" rev 0x00: LZS 3DES ARC4 MD5
SHA1 RNG AES PK, 32KB dram, irq 12
I know in FreeBSD/DragonFly I have a couple of tools to check to
see if it's being engaged - hifnstats and cryptostats
(in /usr/src/tools/tools/crypto), but I'm not sure if the equivalent
exists for OpenBSD.
I was looking at sysctl oids for ipsec -
net.inet.ip.ipsec-expire-acquire=30
net.inet.ip.ipsec-invalid-life=60
net.inet.ip.ipsec-pfs=1
net.inet.ip.ipsec-soft-allocs=0
net.inet.ip.ipsec-allocs=0
net.inet.ip.ipsec-soft-bytes=0
net.inet.ip.ipsec-bytes=0
net.inet.ip.ipsec-timeout=86400
net.inet.ip.ipsec-soft-timeout=80000
net.inet.ip.ipsec-soft-firstuse=3600
net.inet.ip.ipsec-firstuse=7200
net.inet.ip.ipsec-enc-alg=aes
net.inet.ip.ipsec-auth-alg=hmac-sha1
# ipsecadm show -esp
sadb_dump: satype esp vers 2 len 22 seq 0 pid 0
errno 191: Unknown error: 191
sa: spi 0x00001001 auth hmac-sha1 enc aes
state larval replay 0 flags 4
lifetime_cur: alloc 0 bytes 0 add 1129153280 first 0
address_src: 47.x.x.x
address_dst: 47.y.y.y
key_auth: bits 160: e14c30ace1478dfcba0b3ffcd217ddf8fd1fedf9
key_encrypt: bits 192: d82fd5d82fd5d82fd5d82fd5d82fd5d82fd5d82fd5d82fd5
sadb_dump: satype esp vers 2 len 22 seq 0 pid 0
errno 191: Unknown error: 191
sa: spi 0x00001000 auth hmac-sha1 enc aes
state larval replay 0 flags 4
lifetime_cur: alloc 0 bytes 0 add 1129153280 first 0
address_src: 47.y.y.y
address_dst: 47.x.x.x
key_auth: bits 160: e14c30ace1478dfcba0b3ffcd217ddf8fd1fedf9
key_encrypt: bits 192: d82fd5d82fd5d82fd5d82fd5d82fd5d82fd5d82fd5d82fd5
Cpu is a Geode1100 - doing 10Mb/s IPsec has it maxed out :)
Cheers,
Andrew.
