Enabling AESNI by default

[John Baldwin]

On 12/31/20 12:15 PM, Franco Fichtner wrote:
> https://cgit.freebsd.org/src/commit/sys/crypto/aesni?h=stable/12&id=95b37a4ed741fd116809d0f2cb295c4e9977f5b6
> 
> may have subtly broken a number of IPsec installations by stalling active
> connections after certain amounts of traffic transferred.  We're still
> trying to confirm, but it looks like this had an overall impact on 12.0
> and 12.1 except that only one person in OPNsense traced it back to aesni.ko
> to our knowledge to effective work around an apparent issue there.
> 
> If that is not the actual fix, the problem still exists in 12.2 and onward ;)

We don't support AES-CCM for IPsec, so there is 0 chance that commit has any
effect on IPsec in 12.  There's not much detail in the forum posts though
(e.g. netstat -s output to get ipsec, esp, and ah stats).  Also, at least
one forum post mentioned it happened when doing an upgrade from 11.2 to 12.1
which is a larger set of changes.  I know the pfsense folks had a major
performance regression due to iflib with Intel e1000 devices that might
manifest as this perhaps?  Disabling aseni might just be throttling the
connection slow enough to avoid hitting a bug in a NIC driver for example.
I think netstat -s would be a better place to start to try to debug this.

> https://github.com/opnsense/core/issues/4415

-- 
John Baldwin