From owner-freebsd-current@FreeBSD.ORG  Sat Aug 13 06:14:45 2005
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
X-Original-To: freebsd-current@freebsd.org
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id EB77D16A41F;
	Sat, 13 Aug 2005 06:14:44 +0000 (GMT) (envelope-from mike@sentex.net)
Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [64.7.153.18])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 820E243D46;
	Sat, 13 Aug 2005 06:14:44 +0000 (GMT) (envelope-from mike@sentex.net)
Received: from pumice3.sentex.ca (pumice3.sentex.ca [64.7.153.26])
	by smarthost1.sentex.ca (8.13.3/8.13.3) with ESMTP id j7D6DhH5071624;
	Sat, 13 Aug 2005 02:13:43 -0400 (EDT) (envelope-from mike@sentex.net)
Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18])
	by pumice3.sentex.ca (8.13.3/8.13.3) with ESMTP id j7D6EhKx054760;
	Sat, 13 Aug 2005 02:14:43 -0400 (EDT) (envelope-from mike@sentex.net)
Received: from simian.sentex.net (simeon.sentex.ca [192.168.43.27])
	by lava.sentex.ca (8.13.3/8.13.3) with ESMTP id j7D6Efme043677
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Sat, 13 Aug 2005 02:14:41 -0400 (EDT) (envelope-from mike@sentex.net)
Message-Id: <6.2.3.4.0.20050813015047.03dec1b0@64.7.153.2>
X-Mailer: QUALCOMM Windows Eudora Version 6.2.3.4
Date: Sat, 13 Aug 2005 02:14:09 -0400
To: Pawel Jakub Dawidek <pjd@freebsd.org>,
	FreeBSD-current <freebsd-current@freebsd.org>
From: Mike Tancsa <mike@sentex.net>
In-Reply-To: <6.2.3.4.0.20050813012441.061d08b0@64.7.153.2>
References: <20050812134511.GE25162@garage.freebsd.pl>
	<6.2.3.4.0.20050813012441.061d08b0@64.7.153.2>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
X-Virus-Scanned: by amavisd-new
X-Scanned-By: MIMEDefang 2.51 on 64.7.153.18
X-Scanned-By: MIMEDefang 2.51 on 64.7.153.26
Cc: 
Subject: Re: VIA/ACE PadLock integration with crypto(9).
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 13 Aug 2005 06:14:45 -0000

At 01:45 AM 13/08/2005, Mike Tancsa wrote:

>Is there something else that needs to be done to tell crypto(4) or 
>FAST_IPSEC to use the "hardware" in this case ?

Ok, figures, just after I post, I sort it out.

This looks MUCH better now

[  4] local 10.99.98.1 port 5001 connected with 192.168.43.34 port 61679
[  4]  0.0-10.0 sec  95.6 MBytes  80.2 Mbits/sec
[  4] local 10.99.98.1 port 5001 connected with 192.168.43.34 port 62819
[  4]  0.0-10.0 sec  95.9 MBytes  80.4 Mbits/sec

kldload /padlock.ko
sysctl -w net.inet.ipsec.crypto_support=1
clear the existing association (i.e. setkey -F;setkey -FP) and add it back
and the speeds are blazing fast!


The only reference I could find to this kernel mib was a posting by 
Sam long ago

http://groups.google.ca/group/mailing.freebsd.stable/browse_frm/thread/f3f140e615d9ca62/31935038340cc323?lnk=st&q=fast_ipsec+net.inet.ipsec.crypto_support&rnum=5&hl=en#31935038340cc323

net.inet.ipsec.crypto_support sysctl: set it -1 to get s/w only, 1 for h/w
only, or 0 (default) to take the best available crypto support.

Perhaps it would be good to add it to the FAST_IPSEC man page ?


# iperf -c 10.99.98.1 -n 1600M
------------------------------------------------------------
Client connecting to 10.99.98.1, TCP port 5001
TCP window size: 32.5 KByte (default)
------------------------------------------------------------
[  3] local 192.168.43.34 port 60429 connected with 10.99.98.1 port 5001
[  3]  0.0-164.2 sec  1.56 GBytes  81.8 Mbits/sec


 From the client itself, the results are pretty good as well!

[itx-vpn]# iperf -c 10.99.98.1 -B 192.168.43.185
------------------------------------------------------------
Client connecting to 10.99.98.1, TCP port 5001
Binding to local address 192.168.43.185
TCP window size: 32.5 KByte (default)
------------------------------------------------------------
[  3] local 192.168.43.185 port 57584 connected with 10.99.98.1 port 5001
[  3]  0.0-10.0 sec  41.8 MBytes  35.1 Mbits/sec
[itx-vpn]# sysctl -w net.inet.ipsec.crypto_support=1
net.inet.ipsec.crypto_support: 0 -> 1
[itx-vpn]# sh test-128.sh start
[itx-vpn]#
[itx-vpn]# iperf -c 10.99.98.1 -B 192.168.43.185
------------------------------------------------------------
Client connecting to 10.99.98.1, TCP port 5001
Binding to local address 192.168.43.185
TCP window size: 32.5 KByte (default)
------------------------------------------------------------
[  3] local 192.168.43.185 port 5001 connected with 10.99.98.1 port 5001
[  3]  0.0-10.0 sec    107 MBytes  89.8 Mbits/sec
[itx-vpn]#

         ---Mike