----- Original Message ----- > From: "James Shupe" <jsh...@hermetek.com> > To: "Dewey Hylton" <dewey.hyl...@gmail.com> > Sent: Friday, March 30, 2012 4:40:23 PM > Subject: Re: openbsd / ipsec / hardware > > On 03/30/2012 03:16 PM, Dewey Hylton wrote: > > i'm getting ready to implement a few new site-to-site vpns using > > openbsd, and am on the hunt for appropriate hardware. i have > > several alix (geode) and lanner (intel atom) boxes working > > wonderfully as firewalls and routers, but neither type are able to > > provide enough throughput when ipsec is added to their roles. > > > > the lanner boxes can't accept add-in cards. the alix can accept a > > minipci, and i know that soekris makes a crypto accelerator > > (hifn?) that may help - but i'm not sure that'll be enough oompf > > either. our site-to-site link will provide up to 20Mbps, but the > > lanner box is topping out at 3.3Mbps with ipsec and the alix is at > > 1.5Mbps. > > > > can anyone point me to a matrix of hardware types and their crypto > > performance benchmarks with openbsd, or at least make > > recommendations based on real-world use? > > > > i'm using defaults for my ipsec configuration, so this is what i'm > > testing with: auth hmac-sha2-256 enc aes > > > > thanks for your time. > > > > The Alix has a crypto accelerator that supports AES-128-CBC. You > should > get around 14Mbps using aes-128 and turning on kern.usercrypto (speed > tested with OpenVPN*). > > -J
would you mind posting your (sanitized) openvpn configuration, as well as your bandwidth measuring method? i attempted this today and am seeing much less than 14Mbps. i'm probably not measuring the same way, however, as i'm using a simple scp which obviously has its own overhead - but does give me what i believe to be a fair comparison (testing with and without vpn).
