Date: Sat, 13 Aug 2005 02:14:09 -0400 From: Mike Tancsa <mike@sentex.net> To: Pawel Jakub Dawidek <pjd@freebsd.org>, FreeBSD-current <freebsd-current@freebsd.org> Subject: Re: VIA/ACE PadLock integration with crypto(9). Message-ID: <6.2.3.4.0.20050813015047.03dec1b0@64.7.153.2> In-Reply-To: <6.2.3.4.0.20050813012441.061d08b0@64.7.153.2> References: <20050812134511.GE25162@garage.freebsd.pl> <6.2.3.4.0.20050813012441.061d08b0@64.7.153.2>
next in thread | previous in thread | raw e-mail | index | archive | help
At 01:45 AM 13/08/2005, Mike Tancsa wrote: >Is there something else that needs to be done to tell crypto(4) or >FAST_IPSEC to use the "hardware" in this case ? Ok, figures, just after I post, I sort it out. This looks MUCH better now [ 4] local 10.99.98.1 port 5001 connected with 192.168.43.34 port 61679 [ 4] 0.0-10.0 sec 95.6 MBytes 80.2 Mbits/sec [ 4] local 10.99.98.1 port 5001 connected with 192.168.43.34 port 62819 [ 4] 0.0-10.0 sec 95.9 MBytes 80.4 Mbits/sec kldload /padlock.ko sysctl -w net.inet.ipsec.crypto_support=1 clear the existing association (i.e. setkey -F;setkey -FP) and add it back and the speeds are blazing fast! The only reference I could find to this kernel mib was a posting by Sam long ago http://groups.google.ca/group/mailing.freebsd.stable/browse_frm/thread/f3f140e615d9ca62/31935038340cc323?lnk=st&q=fast_ipsec+net.inet.ipsec.crypto_support&rnum=5&hl=en#31935038340cc323 net.inet.ipsec.crypto_support sysctl: set it -1 to get s/w only, 1 for h/w only, or 0 (default) to take the best available crypto support. Perhaps it would be good to add it to the FAST_IPSEC man page ? # iperf -c 10.99.98.1 -n 1600M ------------------------------------------------------------ Client connecting to 10.99.98.1, TCP port 5001 TCP window size: 32.5 KByte (default) ------------------------------------------------------------ [ 3] local 192.168.43.34 port 60429 connected with 10.99.98.1 port 5001 [ 3] 0.0-164.2 sec 1.56 GBytes 81.8 Mbits/sec From the client itself, the results are pretty good as well! [itx-vpn]# iperf -c 10.99.98.1 -B 192.168.43.185 ------------------------------------------------------------ Client connecting to 10.99.98.1, TCP port 5001 Binding to local address 192.168.43.185 TCP window size: 32.5 KByte (default) ------------------------------------------------------------ [ 3] local 192.168.43.185 port 57584 connected with 10.99.98.1 port 5001 [ 3] 0.0-10.0 sec 41.8 MBytes 35.1 Mbits/sec [itx-vpn]# sysctl -w net.inet.ipsec.crypto_support=1 net.inet.ipsec.crypto_support: 0 -> 1 [itx-vpn]# sh test-128.sh start [itx-vpn]# [itx-vpn]# iperf -c 10.99.98.1 -B 192.168.43.185 ------------------------------------------------------------ Client connecting to 10.99.98.1, TCP port 5001 Binding to local address 192.168.43.185 TCP window size: 32.5 KByte (default) ------------------------------------------------------------ [ 3] local 192.168.43.185 port 5001 connected with 10.99.98.1 port 5001 [ 3] 0.0-10.0 sec 107 MBytes 89.8 Mbits/sec [itx-vpn]# ---Mike
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6.2.3.4.0.20050813015047.03dec1b0>