Bihlmaier Andreas <[EMAIL PROTECTED]> wrote: > Since I have no glue at all how IPSEC goes about "looking" for crypto > accelerator hardware and making use of it, I'm kind of stuck. Because > everything I have found so far by google and archives was that it should > "just work".
Not directly applicable to Andreas's problem, but doubting questions whether a provided crypto accelerator is actually used keep coming up, and I just became aware of an extra twist to this: My hifn (a Soekris vpn1401) didn't appear to be used for IPsec either. When I had ssh traffic terminating at that machine, there were plenty of hifn0 interrupts, but when it only served as an IPsec gateway there were none. Strange. So I took another look at the crypto algorithms employed. ipsecctl(8) defaults to AES and SHA2-256. The Hifn 7955 supports AES, of course, and ... no SHA2. You'd imagine the crypto accelerator would still be used for AES with the SHA2-256 hash added in software, but apparently this is not the case. I switched the IPsec setup to AES/SHA1 and now the hardware acceleration is used, as the respective interrupt rate and overall lower CPU usage convincingly demonstrate. -- Christian "naddy" Weisgerber [EMAIL PROTECTED]
