I've made up a test LAN built on two mini-ITX Via C3 based board to test
the AES encryption functionality of this CPU on a real setup.
I've used flashboot 0.7.2 from Damien simply for a matter of time (I've
some flash card already configured) and since it seems to me a very good
product, the kernel is GENERIC-MD
The LAN was only populated with the machine needed by the test, two OBSD
3.7 box and the two C3 base board with the needed switches to wire them
together, on the two OBSD I got iperf (1.7.0) from packages to produce
the traffic. PF is disabled.
The VPN configuration is exactly the one from vpn(8) with only IPs and
Transforms suite changed.
Now the result.
Iperf with 3DES suite show a 6.7Mbit/s with AES suit 16.8Mbit/s
The LAN with no IPSec, just routing show a 86Mbit/s, the two OBSD boxe
wired together show up to 94Mbit/s
Here the conf:
# Incoming phase 1 negotiations are multiplexed on the source IP
# address. Phase 1 is used to set up a protected channel just
# between the two gateway machines. This channel is then used for
# the phase 2 negotiation traffic (i.e. encrypted & authenticated).
[Phase 1]
192.168.3.198= peer-machineB
# 'Phase 2' defines which connections the daemon should establish.
# These connections contain the actual "IPsec VPN" information.
[Phase 2]
Connections= VPN-A-B
# ISAKMP phase 1 peers (from [Phase 1])
[peer-machineB]
Phase= 1
Transport= udp
Address= 192.168.3.198
Configuration= Default-main-mode
Authentication= yoursharedsecret
# IPSEC phase 2 connections (from [Phase 2])
[VPN-A-B]
Phase= 2
ISAKMP-peer= peer-machineB
Configuration= Default-quick-mode
Local-ID= machineA-internal-network
Remote-ID= machineB-internal-network
# ID sections (as used in [VPN-A-B])
[machineA-internal-network]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.2.0
Netmask= 255.255.255.0
[machineB-internal-network]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.4.0
Netmask= 255.255.255.0
# Main and Quick Mode descriptions (as used by peers and connections)
[Default-main-mode]
DOI= IPSEC
EXCHANGE_TYPE= ID_PROT
# Transforms= 3DES-SHA,BLF-SHA
Transforms= AES-SHA,BLF-SHA
[Default-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
# Suites= QM-ESP-3DES-SHA-SUITE
Suites= QM-ESP-AES-SHA-SUITE
Here are the two dmegs (very similar):
gwtest1:
OpenBSD 3.7-stable (GENERIC-RD) #0: Sun Jul 24 12:40:20 EST 2005
[EMAIL PROTECTED]:/root/flashboot-0.7/obj/GENERIC-RD
cpu0: VIA Nehemiah ("CentaurHauls" 686-class) 1 GHz
cpu0: FPU,V86,DE,PSE,TSC,MSR,MTRR,PGE,CMOV,PAT,MMX,FXSR,SSE
cpu0: RNG AES
real mem = 198746112 (194088K)
avail mem = 162844672 (159028K)
using 2451 buffers containing 10039296 bytes (9804K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(71) BIOS, date 01/24/05, BIOS32 rev. 0 @
0xfb040
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
pcibios0 at bios0: rev 2.1 @ 0xf0000/0xdf14
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfde60/160 (8 entries)
pcibios0: PCI Exclusive IRQs: 7 12
pcibios0: PCI Interrupt Router at 000:17:0 ("VIA VT82C596A ISA" rev
0x00)
pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc0000/0xf400
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 vendor "VIA", unknown product 0x0259 rev
0x00
pchb1 at pci0 dev 0 function 1 vendor "VIA", unknown product 0x1259 rev
0x00
pchb2 at pci0 dev 0 function 2 vendor "VIA", unknown product 0x2259 rev
0x00
pchb3 at pci0 dev 0 function 3 vendor "VIA", unknown product 0x3259 rev
0x00
pchb4 at pci0 dev 0 function 4 vendor "VIA", unknown product 0x4259 rev
0x00
pchb5 at pci0 dev 0 function 7 vendor "VIA", unknown product 0x7259 rev
0x00
ppb0 at pci0 dev 1 function 0 "VIA VT8377 AGP" rev 0x00
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 vendor "VIA", unknown product 0x3118 rev
0x02: aperture at 0xf0000000, size 0x10000000
wsdisplay0 at vga1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
rl0 at pci0 dev 10 function 0 "Realtek 8139" rev 0x10: irq 12 address
00:03:1d:01:c4:3f
rlphy0 at rl0 phy 0: RTL internal phy
"VIA VT6306 FireWire" rev 0x46 at pci0 dev 11 function 0 not configured
pciide0 at pci0 dev 15 function 0 "VIA VT8237 SATA" rev 0x80: DMA
pciide0: using irq 12 for native-PCI interrupt
pciide1 at pci0 dev 15 function 1 "VIA VT82C571 IDE" rev 0x06: ATA133,
channel 0 configured to compatibility, channel 1 configured to
compatibility
pciide1: channel 0 disabled (no drives)
wd0 at pciide1 channel 1 drive 0: <SAMSUNG CF/ATA>
wd0: 1-sector PIO, LBA, 491MB, 1006992 sectors
wd0(pciide1:1:0): using PIO mode 0
pcib0 at pci0 dev 17 function 0 "VIA VT8237 ISA" rev 0x00
auvia0 at pci0 dev 17 function 5 "VIA VT8233 AC97" rev 0x60: irq 12
ac97: codec id 0x49434552 (ICEnsemble VIA VT1616i)
ac97: codec features headphone, 18 bit DAC, 18 bit ADC, KS Waves 3D
audio0 at auvia0
vr0 at pci0 dev 18 function 0 "VIA RhineII-2" rev 0x78: irq 7 address
00:03:1d:01:c3:3f
ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface
ukphy0: OUI 0x004063, model 0x0032, rev. 8
isa0 at pcib0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0 (mux 1 ignored for console): console keyboard, using
wsdisplay0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: <PC speaker>
sysbeep0 at pcppi0
npx0 at isa0 port 0xf0/16: using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pccom0: console
pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
pccom2 at isa0 port 0x3e8/8 irq 5: ns16550a, 16 byte fifo
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
biomask ff45 netmask ffc5 ttymask ffc7
rd0: fixed, 19456 blocks
pctr: user-level cycle counter enabled
dkcsum: wd0 matched BIOS disk 80
root on rd0a
rootdev=0x1100 rrootdev=0x2f00 rawdev=0x2f02
gwtest2:
OpenBSD 3.7-stable (GENERIC-RD) #0: Sun Jul 24 12:40:20 EST 2005
[EMAIL PROTECTED]:/root/flashboot-0.7/obj/GENERIC-RD
cpu0: VIA Nehemiah ("CentaurHauls" 686-class) 1 GHz
cpu0: FPU,V86,DE,PSE,TSC,MSR,MTRR,PGE,CMOV,PAT,MMX,FXSR,SSE
cpu0: RNG AES
real mem = 198811648 (194152K)
avail mem = 162906112 (159088K)
using 2452 buffers containing 10043392 bytes (9808K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(71) BIOS, date 01/24/05, BIOS32 rev. 0 @
0xfb040
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
pcibios0 at bios0: rev 2.1 @ 0xf0000/0xdf14
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfde60/160 (8 entries)
pcibios0: PCI Exclusive IRQs: 7 9 12 14
pcibios0: PCI Interrupt Router at 000:17:0 ("VIA VT82C596A ISA" rev
0x00)
pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc0000/0xf400
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 vendor "VIA", unknown product 0x0259 rev
0x00
pchb1 at pci0 dev 0 function 1 vendor "VIA", unknown product 0x1259 rev
0x00
pchb2 at pci0 dev 0 function 2 vendor "VIA", unknown product 0x2259 rev
0x00
pchb3 at pci0 dev 0 function 3 vendor "VIA", unknown product 0x3259 rev
0x00
pchb4 at pci0 dev 0 function 4 vendor "VIA", unknown product 0x4259 rev
0x00
pchb5 at pci0 dev 0 function 7 vendor "VIA", unknown product 0x7259 rev
0x00
ppb0 at pci0 dev 1 function 0 "VIA VT8377 AGP" rev 0x00
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 vendor "VIA", unknown product 0x3118 rev
0x02: aperture at 0xf0000000, size 0x10000000
wsdisplay0 at vga1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
rl0 at pci0 dev 10 function 0 "Realtek 8139" rev 0x10: irq 7 address
00:03:1d:01:c4:40
rlphy0 at rl0 phy 0: RTL internal phy
"VIA VT6306 FireWire" rev 0x46 at pci0 dev 11 function 0 not configured
pciide0 at pci0 dev 15 function 0 "VIA VT8237 SATA" rev 0x80: DMA
pciide0: using irq 12 for native-PCI interrupt
pciide1 at pci0 dev 15 function 1 "VIA VT82C571 IDE" rev 0x06: ATA133,
channel 0 configured to compatibility, channel 1 configured to
compatibility
pciide1: channel 0 ignored (disabled)
wd0 at pciide1 channel 1 drive 0: <SanDisk SDCFB-32>
wd0: 1-sector PIO, LBA, 30MB, 62720 sectors
wd0(pciide1:1:0): using PIO mode 4, DMA mode 2
pcib0 at pci0 dev 17 function 0 "VIA VT8237 ISA" rev 0x00
vr0 at pci0 dev 18 function 0 "VIA RhineII-2" rev 0x78: irq 14 address
00:03:1d:01:c3:40
ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface
ukphy0: OUI 0x004063, model 0x0032, rev. 8
isa0 at pcib0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0 (mux 1 ignored for console): console keyboard, using
wsdisplay0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: <PC speaker>
sysbeep0 at pcppi0
npx0 at isa0 port 0xf0/16: using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pccom0: console
pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
pccom2 at isa0 port 0x3e8/8 irq 5: ns16550a, 16 byte fifo
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
biomask bf45 netmask ffc5 ttymask ffc7
rd0: fixed, 19456 blocks
pctr: user-level cycle counter enabled
dkcsum: wd0 matched BIOS disk 80
root on rd0a
rootdev=0x1100 rrootdev=0x2f00 rawdev=0x2f02
The vr nic were used for the public side of the VPN and the rl for the
private one.
During tests, top shows from 70% to 80% of system CPU usage and here are
the vmstat output:
[EMAIL PROTECTED] isakmpd]# vmstat
procs memory page disks traps
cpu
r b w avm fre flt re pi po fr sr wd0 rd0 int sys cs
us sy id
0 0 0 6276 149204 11 0 0 0 0 0 0 0 1745 24 289
0 32 67
[EMAIL PROTECTED] root]# vmstat
procs memory page disks traps
cpu
r b w avm fre flt re pi po fr sr wd0 rd0 int sys cs
us sy id
1 0 0 6264 149700 9 0 0 0 0 0 0 0 1809 20 446
0 32 68
Any comment is more then appreciated.
Regards
--
Massimo.run();
