VIA/ACE PadLock integration with crypto(9).
Mike Tancsa
mike at sentex.net
Sat Aug 13 06:14:45 GMT 2005
At 01:45 AM 13/08/2005, Mike Tancsa wrote:
>Is there something else that needs to be done to tell crypto(4) or
>FAST_IPSEC to use the "hardware" in this case ?
Ok, figures, just after I post, I sort it out.
This looks MUCH better now
[ 4] local 10.99.98.1 port 5001 connected with 192.168.43.34 port 61679
[ 4] 0.0-10.0 sec 95.6 MBytes 80.2 Mbits/sec
[ 4] local 10.99.98.1 port 5001 connected with 192.168.43.34 port 62819
[ 4] 0.0-10.0 sec 95.9 MBytes 80.4 Mbits/sec
kldload /padlock.ko
sysctl -w net.inet.ipsec.crypto_support=1
clear the existing association (i.e. setkey -F;setkey -FP) and add it back
and the speeds are blazing fast!
The only reference I could find to this kernel mib was a posting by
Sam long ago
http://groups.google.ca/group/mailing.freebsd.stable/browse_frm/thread/f3f140e615d9ca62/31935038340cc323?lnk=st&q=fast_ipsec+net.inet.ipsec.crypto_support&rnum=5&hl=en#31935038340cc323
net.inet.ipsec.crypto_support sysctl: set it -1 to get s/w only, 1 for h/w
only, or 0 (default) to take the best available crypto support.
Perhaps it would be good to add it to the FAST_IPSEC man page ?
# iperf -c 10.99.98.1 -n 1600M
------------------------------------------------------------
Client connecting to 10.99.98.1, TCP port 5001
TCP window size: 32.5 KByte (default)
------------------------------------------------------------
[ 3] local 192.168.43.34 port 60429 connected with 10.99.98.1 port 5001
[ 3] 0.0-164.2 sec 1.56 GBytes 81.8 Mbits/sec
From the client itself, the results are pretty good as well!
[itx-vpn]# iperf -c 10.99.98.1 -B 192.168.43.185
------------------------------------------------------------
Client connecting to 10.99.98.1, TCP port 5001
Binding to local address 192.168.43.185
TCP window size: 32.5 KByte (default)
------------------------------------------------------------
[ 3] local 192.168.43.185 port 57584 connected with 10.99.98.1 port 5001
[ 3] 0.0-10.0 sec 41.8 MBytes 35.1 Mbits/sec
[itx-vpn]# sysctl -w net.inet.ipsec.crypto_support=1
net.inet.ipsec.crypto_support: 0 -> 1
[itx-vpn]# sh test-128.sh start
[itx-vpn]#
[itx-vpn]# iperf -c 10.99.98.1 -B 192.168.43.185
------------------------------------------------------------
Client connecting to 10.99.98.1, TCP port 5001
Binding to local address 192.168.43.185
TCP window size: 32.5 KByte (default)
------------------------------------------------------------
[ 3] local 192.168.43.185 port 5001 connected with 10.99.98.1 port 5001
[ 3] 0.0-10.0 sec 107 MBytes 89.8 Mbits/sec
[itx-vpn]#
---Mike
More information about the freebsd-current
mailing list