multiple crypto accelerator cards in one FreeBSD box
sekchye goh
sekchye at gmail.com
Thu Feb 17 21:53:18 PST 2005
HI Sam
thanks for the enlightening answer.
Initially, we are thinking of building a super duper IPSEC VPN
concentrator using FreeBSD with multiple crypto accelerator cards like
Soekris VPN1401 and a Gigabit interface card to terminate many many
IPSEC connections in one single box.
After reading your reply, I guess we will just use one crypto
accelerator card in each FreeBSD box and scale up by adding more
boxes.
Thanks!
On Thu, 17 Feb 2005 21:21:36 -0800, Sam Leffler <sam at errno.com> wrote:
> sekchye goh wrote:
> > Hi there!
> > we are thinking of deploying a IPSEC VPN concentrator using multiple PCI bus
> > version VPN1401 cards in a FreeBSD box using hifn support..
> > From the technical specs in Soekris website
> > http://www.soekris.com/vpn1401.htm,
> > each card can support 24 to 70 connections. The question is if we
> > put 3 VPN1401 cards in a single box, does this mean the FreeBSD box can support
> > 3 x (24 to 70) IPSEC connections ?
> >
>
> Not sure where the 24-70 connection numbers come from. If it's based on
> alllocating session state in on-chip SDRAM then that was removed a while
> ago by moving the session state allocation to host memory. If the
> numbers are representative of peak performance then I'd be curious where
> they came from. Understand that you're likely to be bus-limited for
> performance and adding additional cards isn't going to help unless cards
> are on separate pci buses. Beware however that the current crypto code
> does not manage multiple cards well. If you decide to go with multiple
> cards you'll want to do some load balancing.
>
> Sam
>
More information about the freebsd-security
mailing list