Is if_ipsec/ipsec - AESNI accelerated ?
John-Mark Gurney
jmg at funkthat.com
Thu Aug 9 13:40:55 UTC 2018
David P. Discher wrote this message on Thu, Aug 09, 2018 at 00:00 -0700:
>
> > On Aug 8, 2018, at 10:37 PM, Andrey V. Elsukov <bu7cher at yandex.ru> wrote:
> >
> > On 09.08.2018 06:57, David P. Discher wrote:
> >> I???m suspecting that IPSec in FreeBSD is not leveraging AESNI on Intel. Is this correct ?
> >
> > IPsec uses crypto(9) framework that works by default without any
> > acceleration. You need to load aesni(4) kernel module to enable
> > acceleration. Also, you need to recreate security associations after
> > module loading to take effect.
>
> Yes. I booted with AESNI loaded ??? via loader.conf. Transcript below. Two endpoint are identical hardware.
You don't show what ciphers you are using. It could be that you're
using CBC mode, which is known to be slow, or that you're using a
slow AH that is limiting performance, and not the cipher...
Need to see your setkey.conf, or at least the output of setkey -D..
--
John-Mark Gurney Voice: +1 415 225 5579
"All that I will do, has been done, All that I have, has not."
More information about the freebsd-net
mailing list