FreeBSD 11.2: how to add the aesni plugin to strongswan?












0















I installed strongswan using 



pkg install strongswan


But now I've realized I need to have the aesni plugin enabled to optimize my IPsec tunnel. I've already enabled aesni at the OS level. The strongswan instructions say it's best to do at compile time but since I installed via pkg I'm hoping to avoid that.






freebsd ipsec plugin strongswan







share|improve this question







New contributor




StackShin is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





















  • It doesn't look like the aesni plugin exists for FreeBSD but I'm hoping i'm wrong...

    – StackShin
    Jan 12 at 2:14











  • Can you add a link to sources of this plugin?

    – arrowd
    Jan 12 at 7:06






  • 1





    Just a note: The aesni plugin only has an effect on IKE traffic (of which there is usually little). It won't improve the performance of actual IPsec traffic, which is handled by the kernel.

    – ecdsa
    2 days ago











  • @ecdsa If that's the case, what are my other options for increasing IPsec performance? I have another thread where the answer was parallelizing IPsec to use multiple cores. I have been unable to fund very much, if any, good documentation on how to do that on FreeBSD.

    – StackShin
    2 days ago











  • If you enabled AES-NI support in the kernel(s), you should definitely switch to AES-GCM (esp=aes128gcm16), otherwise the negotiated integrity algorithm will be a bottleneck. But for single connections there might be an upper limit (e.g. single threaded handling to prevent packet reordering).

    – ecdsa
    yesterday
















0















I installed strongswan using 



pkg install strongswan


But now I've realized I need to have the aesni plugin enabled to optimize my IPsec tunnel. I've already enabled aesni at the OS level. The strongswan instructions say it's best to do at compile time but since I installed via pkg I'm hoping to avoid that.






freebsd ipsec plugin strongswan







share|improve this question







New contributor




StackShin is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





















  • It doesn't look like the aesni plugin exists for FreeBSD but I'm hoping i'm wrong...

    – StackShin
    Jan 12 at 2:14











  • Can you add a link to sources of this plugin?

    – arrowd
    Jan 12 at 7:06






  • 1





    Just a note: The aesni plugin only has an effect on IKE traffic (of which there is usually little). It won't improve the performance of actual IPsec traffic, which is handled by the kernel.

    – ecdsa
    2 days ago











  • @ecdsa If that's the case, what are my other options for increasing IPsec performance? I have another thread where the answer was parallelizing IPsec to use multiple cores. I have been unable to fund very much, if any, good documentation on how to do that on FreeBSD.

    – StackShin
    2 days ago











  • If you enabled AES-NI support in the kernel(s), you should definitely switch to AES-GCM (esp=aes128gcm16), otherwise the negotiated integrity algorithm will be a bottleneck. But for single connections there might be an upper limit (e.g. single threaded handling to prevent packet reordering).

    – ecdsa
    yesterday














0












0








0








I installed strongswan using 



pkg install strongswan


But now I've realized I need to have the aesni plugin enabled to optimize my IPsec tunnel. I've already enabled aesni at the OS level. The strongswan instructions say it's best to do at compile time but since I installed via pkg I'm hoping to avoid that.






freebsd ipsec plugin strongswan







share|improve this question







New contributor




StackShin is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.












I installed strongswan using 



pkg install strongswan


But now I've realized I need to have the aesni plugin enabled to optimize my IPsec tunnel. I've already enabled aesni at the OS level. The strongswan instructions say it's best to do at compile time but since I installed via pkg I'm hoping to avoid that.






freebsd ipsec plugin strongswan




freebsd ipsec plugin strongswan






share|improve this question







New contributor




StackShin is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











share|improve this question







New contributor




StackShin is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









share|improve this question




share|improve this question






New contributor




StackShin is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









asked Jan 12 at 1:26









StackShinStackShin

1




1




New contributor




StackShin is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





New contributor





StackShin is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






StackShin is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.













  • It doesn't look like the aesni plugin exists for FreeBSD but I'm hoping i'm wrong...

    – StackShin
    Jan 12 at 2:14











  • Can you add a link to sources of this plugin?

    – arrowd
    Jan 12 at 7:06






  • 1





    Just a note: The aesni plugin only has an effect on IKE traffic (of which there is usually little). It won't improve the performance of actual IPsec traffic, which is handled by the kernel.

    – ecdsa
    2 days ago











  • @ecdsa If that's the case, what are my other options for increasing IPsec performance? I have another thread where the answer was parallelizing IPsec to use multiple cores. I have been unable to fund very much, if any, good documentation on how to do that on FreeBSD.

    – StackShin
    2 days ago











  • If you enabled AES-NI support in the kernel(s), you should definitely switch to AES-GCM (esp=aes128gcm16), otherwise the negotiated integrity algorithm will be a bottleneck. But for single connections there might be an upper limit (e.g. single threaded handling to prevent packet reordering).

    – ecdsa
    yesterday



















  • It doesn't look like the aesni plugin exists for FreeBSD but I'm hoping i'm wrong...

    – StackShin
    Jan 12 at 2:14











  • Can you add a link to sources of this plugin?

    – arrowd
    Jan 12 at 7:06






  • 1





    Just a note: The aesni plugin only has an effect on IKE traffic (of which there is usually little). It won't improve the performance of actual IPsec traffic, which is handled by the kernel.

    – ecdsa
    2 days ago











  • @ecdsa If that's the case, what are my other options for increasing IPsec performance? I have another thread where the answer was parallelizing IPsec to use multiple cores. I have been unable to fund very much, if any, good documentation on how to do that on FreeBSD.

    – StackShin
    2 days ago











  • If you enabled AES-NI support in the kernel(s), you should definitely switch to AES-GCM (esp=aes128gcm16), otherwise the negotiated integrity algorithm will be a bottleneck. But for single connections there might be an upper limit (e.g. single threaded handling to prevent packet reordering).

    – ecdsa
    yesterday

















It doesn't look like the aesni plugin exists for FreeBSD but I'm hoping i'm wrong...

– StackShin
Jan 12 at 2:14





It doesn't look like the aesni plugin exists for FreeBSD but I'm hoping i'm wrong...

– StackShin
Jan 12 at 2:14













Can you add a link to sources of this plugin?

– arrowd
Jan 12 at 7:06





Can you add a link to sources of this plugin?

– arrowd
Jan 12 at 7:06




1




1





Just a note: The aesni plugin only has an effect on IKE traffic (of which there is usually little). It won't improve the performance of actual IPsec traffic, which is handled by the kernel.

– ecdsa
2 days ago





Just a note: The aesni plugin only has an effect on IKE traffic (of which there is usually little). It won't improve the performance of actual IPsec traffic, which is handled by the kernel.

– ecdsa
2 days ago













@ecdsa If that's the case, what are my other options for increasing IPsec performance? I have another thread where the answer was parallelizing IPsec to use multiple cores. I have been unable to fund very much, if any, good documentation on how to do that on FreeBSD.

– StackShin
2 days ago





@ecdsa If that's the case, what are my other options for increasing IPsec performance? I have another thread where the answer was parallelizing IPsec to use multiple cores. I have been unable to fund very much, if any, good documentation on how to do that on FreeBSD.

– StackShin
2 days ago













If you enabled AES-NI support in the kernel(s), you should definitely switch to AES-GCM (esp=aes128gcm16), otherwise the negotiated integrity algorithm will be a bottleneck. But for single connections there might be an upper limit (e.g. single threaded handling to prevent packet reordering).

– ecdsa
yesterday





If you enabled AES-NI support in the kernel(s), you should definitely switch to AES-GCM (esp=aes128gcm16), otherwise the negotiated integrity algorithm will be a bottleneck. But for single connections there might be an upper limit (e.g. single threaded handling to prevent packet reordering).

– ecdsa
yesterday










1 Answer
1






active

oldest

votes


















1














try compiling from /usr/ports/security/strongswan port with copying strongswan to strongswan_my_aesni_edition and editing the code to compile your very own one with additional option. --enable-aesni



Problem is current one has an old version of CONFIGURE_ARGS which overwrites any modifications you add.






share|improve this answer








New contributor




Andrew is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.




















    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "106"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });






    StackShin is a new contributor. Be nice, and check out our Code of Conduct.










    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f494051%2ffreebsd-11-2-how-to-add-the-aesni-plugin-to-strongswan%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    1














    try compiling from /usr/ports/security/strongswan port with copying strongswan to strongswan_my_aesni_edition and editing the code to compile your very own one with additional option. --enable-aesni



    Problem is current one has an old version of CONFIGURE_ARGS which overwrites any modifications you add.






    share|improve this answer








    New contributor




    Andrew is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.

























      1














      try compiling from /usr/ports/security/strongswan port with copying strongswan to strongswan_my_aesni_edition and editing the code to compile your very own one with additional option. --enable-aesni



      Problem is current one has an old version of CONFIGURE_ARGS which overwrites any modifications you add.






      share|improve this answer








      New contributor




      Andrew is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.























        1












        1








        1







        try compiling from /usr/ports/security/strongswan port with copying strongswan to strongswan_my_aesni_edition and editing the code to compile your very own one with additional option. --enable-aesni



        Problem is current one has an old version of CONFIGURE_ARGS which overwrites any modifications you add.






        share|improve this answer








        New contributor




        Andrew is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.










        try compiling from /usr/ports/security/strongswan port with copying strongswan to strongswan_my_aesni_edition and editing the code to compile your very own one with additional option. --enable-aesni



        Problem is current one has an old version of CONFIGURE_ARGS which overwrites any modifications you add.







        share|improve this answer








        New contributor




        Andrew is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.









        share|improve this answer



        share|improve this answer






        New contributor




        Andrew is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.









        answered Jan 13 at 18:20









        AndrewAndrew

        111




        111




        New contributor




        Andrew is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.





        New contributor





        Andrew is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.






        Andrew is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.






















            StackShin is a new contributor. Be nice, and check out our Code of Conduct.










            draft saved

            draft discarded


















            StackShin is a new contributor. Be nice, and check out our Code of Conduct.













            StackShin is a new contributor. Be nice, and check out our Code of Conduct.












            StackShin is a new contributor. Be nice, and check out our Code of Conduct.
















            Thanks for contributing an answer to Unix & Linux Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f494051%2ffreebsd-11-2-how-to-add-the-aesni-plugin-to-strongswan%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            -

            Popular posts from this blog

            How to reconfigure Docker Trusted Registry 2.x.x to use CEPH FS mount instead of NFS and other traditional...

            Image
            0 I am having trouble trying to reconfigure my DTR container to try and use a CEPH FS mount we created to act as a storage backend for our image repository. The Docs are very vague on this and nothing exactly explains on how to do it. Has anyone yet connected the dots? linux filesystems mount storage docker share | improve this question asked Feb 1 at 6:40 jRapp3r jRapp3r 1 1 add a comment  | 
            Read more

            is 'sed' thread safe

            Image
            2 If I have a shell/python script that uses sed to modify a file in place based on user inputs, and then two users run the same script at the same time or approx. same time, is 'sed' thread safe ? Or perhaps it is not an issue because the file_descripor that was opened by the first thread will be used to lock the file anyway ? thx linux sed python share | improve this question edited 7 hours ago Jeff Schaller 42.9k 11 59 137 asked 7 hours ago terreys terreys
            Read more

            How to make a Squid Proxy server?

            Image
            1 I want to set up squid proxy server for monitoring user activity in a network and Internet Web URL filtering for user. I also want to configure the user login, user log, user access group, and block unwanted web sites in my network. Please help me and guide me the full process to do this. server proxy squid share | improve this question edited Jul 31 '12 at 14:45 Jorge Castro 37.1k 107 422 617 asked Jul 31 '12 at 5:16 Goivind Tiwari Goivind Tiwari
            Read more