|
Post by mikael on Oct 8, 2015 11:50:37 GMT
Hi,
I have a few alix boards and would like to make use of the integrated hw crypto for speeding up VPN connections.
My smallwall status page says: Hardware crypto: AMD Geode LX Security Block (enabled)
My dmesg outputs: [snip] glxsb0: <AMD Geode LX Security Block (AES-128-CBC, RNG)> mem 0xefff4000-0xefff7fff irq 9 at device 1.2 on pci0 [snip]
How can I make sure or confirm that L2TP/IPSEC utilizes this hw feature? I don't see any options to enable harware crypto either in advanced options or in the VPN settings.
On another alix board I have the status page says: Hardware crypto: AMD Geode LX Security Block
No "(enabled)" and nothing in the dmesg output. If I run kldload glxsb it gets enabled and shows up in dmesg.
I don't find any way to load this module automatically at system startup. How can I do this?
TIA, Mikael
|
|
|
Post by Lee Sharp on Oct 8, 2015 17:52:04 GMT
Several answers here... Fisrt, the code for L2TP is also the IPsec code, so it is set to automatically use it there... That said, it only uses the hardware for DES and 3DES, both of which are not very secure these days. But if you want to force it to load (and it may help other algorithms, if so let me know!) you can use shell commands in the hidden config options. www.smallwall.org/docs/handbook/faq-hiddenopts.htmlUnder <system> add <earlyshellcommand>kldload glxsb</earlyshellcommand> And this will run it early in the boot process.
|
|
|
Post by mikael on Oct 9, 2015 8:26:50 GMT
Hi Lee, Thank you for the quick answer.
I'm a bit confused because the integrated hw crypto on my board reports supporting AES-128-CBC (see dmesg output above). Shouldn't it be possible to have hw crypto working with IPSEC and L2TP/IPSEC if set to use AES-128-CBC?
I can specify crypto to use in the IPSEC menu, but I don't find such options under L2TP/IPSEC menu.
I would really much like to understand exactly how this is supposed to work and how it's implemented.
TIA, Mikael
|
|
|
Post by Lee Sharp on Oct 9, 2015 19:49:42 GMT
Set it up in the IPsec side, and it should be persistent on the L2TP side.
As to support, we are running some older versions of Raccoon, so it does not have all the latest features. I am working on upgrading key components as I go. SNMP was upgraded to allow 64bit counters, which were needed for bandwidth monitoring!
But each part takes time, and Raccoon is heavily entwined in the firewall, so it will take a LOT of work.
|
|
|
Post by mikael on Oct 11, 2015 7:24:26 GMT
Hi,
Do you say I should enable IPSEC in the IPSEC menu in order to have L2TP/IPSEC using hw crypto? I'm sorry I don't really understand what you are trying to tell me. Can you please explain.
Is the newer version of Raccoon needed for better encryption algoritms (such as AES-128-CBC) to work with IPSEC and/or L2TP/IPSEC?
TIA, Mikael
|
|
|
Post by Lee Sharp on Oct 11, 2015 17:54:34 GMT
This is actually a hard question to answer... Since l2tp is new, it is not fully understood and tested. And since we are still on FreeBSD 8.4, the racoon version is less then current, and that does not help. Also, I (and no one I know) do not have access to a hardware crypto card, so I have no way to test.
All I can say is to try the tunnel normally, then using exec.php enable the hardware card and see if there is a performance difference on the various encryption methods. Then either enable it in a full IPsec tunnel and see if it sticks, or add it in an <earlyshellcommand> variable.
But please let me know what you find! I would love to have the best support I can for your hardware.
|
|
|
Post by mikael on Nov 1, 2015 12:13:21 GMT
I'm sorry. I did not have time to test L2TP and hw crypto for a while. I will report all my test results here as soon as I can. It would be really nice to know that hw crypto is used.
You say that racoon is old and FreeBSD 8.4 is old too. That's true. But my hw seems to be recognized by Smallwall and the driver is loaded. So I guess it's just a matter of making sure L2TP/IPSEC uses this.
Is there a way (log file or something else) where I can see exactly how racoon bulids its tunnel and what encryption it uses and if it really uses avaiable hw crypto?
TIA, Mikael
|
|
|
Post by Lee Sharp on Nov 1, 2015 13:37:02 GMT
if you use exec.php you can look at dmesg to see if it is enabled, and you can look at status commands. You may be able to get some information from status.php as well. I do not have any hardware crypto, so I do not know how it will look.
|
|
andy
New Member
Amazing developer of the *walls...
Posts: 8
|
Post by andy on Nov 13, 2015 14:19:05 GMT
when l2tp is enabled, the glxsb module is unloaded, as there is a bug with the glxsb driver that will stop l2tp working. when hardware crypto is enabled, the status page says 'enabled' beside the crypto line
|
|
|
Post by mikael on Nov 16, 2015 10:12:42 GMT
Hi Andy, Thanks for the clarification. This however effectively prevents me from using L2TP/IPSEC together with hw crypto on these boards.
Is this something that will perhaps change in the future?
TIA, Mikael
|
|
andy
New Member
Amazing developer of the *walls...
Posts: 8
|
Post by andy on Nov 26, 2015 15:53:00 GMT
Hi, I haven't dug into the bug, could be already fixed in freebsd10 , i'll have to take a peek.
however, not sure what you are expecting of glxsb offload, it has never had good performance from users , have you been hitting CPU limitations currently ?
|
|