On 03/30/2012 03:16 PM, Dewey Hylton wrote: > i'm getting ready to implement a few new site-to-site vpns using openbsd, and am on the hunt for appropriate hardware. i have several alix (geode) and lanner (intel atom) boxes working wonderfully as firewalls and routers, but neither type are able to provide enough throughput when ipsec is added to their roles. > > the lanner boxes can't accept add-in cards. the alix can accept a minipci, and i know that soekris makes a crypto accelerator (hifn?) that may help - but i'm not sure that'll be enough oompf either. our site-to-site link will provide up to 20Mbps, but the lanner box is topping out at 3.3Mbps with ipsec and the alix is at 1.5Mbps. > > can anyone point me to a matrix of hardware types and their crypto performance benchmarks with openbsd, or at least make recommendations based on real-world use? > > i'm using defaults for my ipsec configuration, so this is what i'm testing with: auth hmac-sha2-256 enc aes > > thanks for your time. >
I just send "The Alix has a crypto accelerator that supports AES-128-CBC. You should get around 14Mbps using aes-128 and turning on kern.usercrypto." I just realised that won't make a difference for IPSec since that's all in the kernel. My 14Mbps figures were tested using OpenVPN. [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]