On Mar 30, 2012, at 10:42 PM, James Shupe wrote: > On 03/30/2012 03:16 PM, Dewey Hylton wrote: >> i'm getting ready to implement a few new site-to-site vpns using openbsd, > and am on the hunt for appropriate hardware. i have several alix (geode) and > lanner (intel atom) boxes working wonderfully as firewalls and routers, but > neither type are able to provide enough throughput when ipsec is added to > their roles. >> >> the lanner boxes can't accept add-in cards. the alix can accept a minipci, > and i know that soekris makes a crypto accelerator (hifn?) that may help - but > i'm not sure that'll be enough oompf either. our site-to-site link will > provide up to 20Mbps, but the lanner box is topping out at 3.3Mbps with ipsec > and the alix is at 1.5Mbps. >> >> can anyone point me to a matrix of hardware types and their crypto > performance benchmarks with openbsd, or at least make recommendations based on > real-world use? >> >> i'm using defaults for my ipsec configuration, so this is what i'm testing > with: auth hmac-sha2-256 enc aes >> >> thanks for your time. >> > > The Alix has a crypto accelerator that supports AES-128-CBC. You should > get around 14Mbps using aes-128 and turning on kern.usercrypto. > > [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc] >
I don't see the point with setting kern.usercrypto=1, all support for enc/dec you get already from the hw+kernel. IPSec stack already used the HW if supported, else you get software based enc/dec. //mxb