[Soekris] Screams of frustration were heard...
Michael DeMan
michael at staff.openaccess.org
Wed May 7 14:41:20 UTC 2003
Yes.
You have to use 3des for ESP, and sha1 for AH for a full tunnel in order to
get the HiFN chip in the game.
CPU limits on 45xx gear come into play in two conditions:
#1: Encryption, with or without HiFN
#2: 802.11, at least with *BSD where 5.5Mbit WiFi will use 60%+ CPU when
high volume traffic generated.
Lets hope Soren gets those 48xx units out soon!
On 5/7/03 1:53 AM, "Hans-Joerg Hoexer"
<Hans-Joerg.Hoexer at yerbouti.franken.de> wrote:
> Hi,
>
> On Tue, May 06, 2003 at 11:27:49AM -0700, Stephen Milton wrote:
>> I have now run my Soekris 4521s through complete speed testing under
>> Debian Linux, FreeBSD 4.8, and OpenBSD 3.3. I have the Hifn VPN
>> accelerators in each unit. However, I am frustrated by the fact that
>> I cannot seem to configure more than 3-4Mb/s of IPSEC throughput in
>> any combination of OS or patches.
>
> I suppose you were using 3des for encryption. Try using aes or blowfish, i.e.
> the accelerator will _not_ be used. If you are using FreeS/WAN for Linux, you
> need additional patches for aes/blowfish support. On a soekris regarding
> IPsec/VPN-performance aes in software is "faster" than 3des in hardware.
>
> The problem with the soekris boxen and the crypto accelerator seems to be
> related to the overhead of using the accelerator: the CPU is too weak and can
> not keep the accelerator busy at a sustained rate.
>
> On a normal PC with a soekris accelerator I get about 70Mb/s (encrypting 8192
> times 8k blocks of data with 3des, using /dev/crypto on OpenBSD,
> sysctl.usercrypto=1).
>
> Cheers,
> Hans
Michael F. DeMan
Director of Technology
OpenAccess Internet Services
1305 11th St., 3rd Floor
Bellingham, WA 98225
Tel 360-647-0785 x204
Fax 360-738-9785
michael at staff.openaccess.org
More information about the Soekris-tech
mailing list