FreeBSD 11.2: how to add the aesni plugin to strongswan?
I installed strongswan using
pkg install strongswan
But now I've realized I need to have the aesni plugin enabled to optimize my IPsec tunnel. I've already enabled aesni at the OS level. The strongswan instructions say it's best to do at compile time but since I installed via pkg I'm hoping to avoid that.
freebsd ipsec plugin strongswan
New contributor
|
show 1 more comment
I installed strongswan using
pkg install strongswan
But now I've realized I need to have the aesni plugin enabled to optimize my IPsec tunnel. I've already enabled aesni at the OS level. The strongswan instructions say it's best to do at compile time but since I installed via pkg I'm hoping to avoid that.
freebsd ipsec plugin strongswan
New contributor
It doesn't look like the aesni plugin exists for FreeBSD but I'm hoping i'm wrong...
– StackShin
Jan 12 at 2:14
Can you add a link to sources of this plugin?
– arrowd
Jan 12 at 7:06
1
Just a note: The aesni plugin only has an effect on IKE traffic (of which there is usually little). It won't improve the performance of actual IPsec traffic, which is handled by the kernel.
– ecdsa
2 days ago
@ecdsa If that's the case, what are my other options for increasing IPsec performance? I have another thread where the answer was parallelizing IPsec to use multiple cores. I have been unable to fund very much, if any, good documentation on how to do that on FreeBSD.
– StackShin
2 days ago
If you enabled AES-NI support in the kernel(s), you should definitely switch to AES-GCM (esp=aes128gcm16
), otherwise the negotiated integrity algorithm will be a bottleneck. But for single connections there might be an upper limit (e.g. single threaded handling to prevent packet reordering).
– ecdsa
yesterday
|
show 1 more comment
I installed strongswan using
pkg install strongswan
But now I've realized I need to have the aesni plugin enabled to optimize my IPsec tunnel. I've already enabled aesni at the OS level. The strongswan instructions say it's best to do at compile time but since I installed via pkg I'm hoping to avoid that.
freebsd ipsec plugin strongswan
New contributor
I installed strongswan using
pkg install strongswan
But now I've realized I need to have the aesni plugin enabled to optimize my IPsec tunnel. I've already enabled aesni at the OS level. The strongswan instructions say it's best to do at compile time but since I installed via pkg I'm hoping to avoid that.
freebsd ipsec plugin strongswan
freebsd ipsec plugin strongswan
New contributor
New contributor
New contributor
asked Jan 12 at 1:26
StackShinStackShin
1
1
New contributor
New contributor
It doesn't look like the aesni plugin exists for FreeBSD but I'm hoping i'm wrong...
– StackShin
Jan 12 at 2:14
Can you add a link to sources of this plugin?
– arrowd
Jan 12 at 7:06
1
Just a note: The aesni plugin only has an effect on IKE traffic (of which there is usually little). It won't improve the performance of actual IPsec traffic, which is handled by the kernel.
– ecdsa
2 days ago
@ecdsa If that's the case, what are my other options for increasing IPsec performance? I have another thread where the answer was parallelizing IPsec to use multiple cores. I have been unable to fund very much, if any, good documentation on how to do that on FreeBSD.
– StackShin
2 days ago
If you enabled AES-NI support in the kernel(s), you should definitely switch to AES-GCM (esp=aes128gcm16
), otherwise the negotiated integrity algorithm will be a bottleneck. But for single connections there might be an upper limit (e.g. single threaded handling to prevent packet reordering).
– ecdsa
yesterday
|
show 1 more comment
It doesn't look like the aesni plugin exists for FreeBSD but I'm hoping i'm wrong...
– StackShin
Jan 12 at 2:14
Can you add a link to sources of this plugin?
– arrowd
Jan 12 at 7:06
1
Just a note: The aesni plugin only has an effect on IKE traffic (of which there is usually little). It won't improve the performance of actual IPsec traffic, which is handled by the kernel.
– ecdsa
2 days ago
@ecdsa If that's the case, what are my other options for increasing IPsec performance? I have another thread where the answer was parallelizing IPsec to use multiple cores. I have been unable to fund very much, if any, good documentation on how to do that on FreeBSD.
– StackShin
2 days ago
If you enabled AES-NI support in the kernel(s), you should definitely switch to AES-GCM (esp=aes128gcm16
), otherwise the negotiated integrity algorithm will be a bottleneck. But for single connections there might be an upper limit (e.g. single threaded handling to prevent packet reordering).
– ecdsa
yesterday
It doesn't look like the aesni plugin exists for FreeBSD but I'm hoping i'm wrong...
– StackShin
Jan 12 at 2:14
It doesn't look like the aesni plugin exists for FreeBSD but I'm hoping i'm wrong...
– StackShin
Jan 12 at 2:14
Can you add a link to sources of this plugin?
– arrowd
Jan 12 at 7:06
Can you add a link to sources of this plugin?
– arrowd
Jan 12 at 7:06
1
1
Just a note: The aesni plugin only has an effect on IKE traffic (of which there is usually little). It won't improve the performance of actual IPsec traffic, which is handled by the kernel.
– ecdsa
2 days ago
Just a note: The aesni plugin only has an effect on IKE traffic (of which there is usually little). It won't improve the performance of actual IPsec traffic, which is handled by the kernel.
– ecdsa
2 days ago
@ecdsa If that's the case, what are my other options for increasing IPsec performance? I have another thread where the answer was parallelizing IPsec to use multiple cores. I have been unable to fund very much, if any, good documentation on how to do that on FreeBSD.
– StackShin
2 days ago
@ecdsa If that's the case, what are my other options for increasing IPsec performance? I have another thread where the answer was parallelizing IPsec to use multiple cores. I have been unable to fund very much, if any, good documentation on how to do that on FreeBSD.
– StackShin
2 days ago
If you enabled AES-NI support in the kernel(s), you should definitely switch to AES-GCM (
esp=aes128gcm16
), otherwise the negotiated integrity algorithm will be a bottleneck. But for single connections there might be an upper limit (e.g. single threaded handling to prevent packet reordering).– ecdsa
yesterday
If you enabled AES-NI support in the kernel(s), you should definitely switch to AES-GCM (
esp=aes128gcm16
), otherwise the negotiated integrity algorithm will be a bottleneck. But for single connections there might be an upper limit (e.g. single threaded handling to prevent packet reordering).– ecdsa
yesterday
|
show 1 more comment
1 Answer
1
active
oldest
votes
try compiling from /usr/ports/security/strongswan port with copying strongswan to strongswan_my_aesni_edition and editing the code to compile your very own one with additional option. --enable-aesni
Problem is current one has an old version of CONFIGURE_ARGS which overwrites any modifications you add.
New contributor
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
StackShin is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f494051%2ffreebsd-11-2-how-to-add-the-aesni-plugin-to-strongswan%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
try compiling from /usr/ports/security/strongswan port with copying strongswan to strongswan_my_aesni_edition and editing the code to compile your very own one with additional option. --enable-aesni
Problem is current one has an old version of CONFIGURE_ARGS which overwrites any modifications you add.
New contributor
add a comment |
try compiling from /usr/ports/security/strongswan port with copying strongswan to strongswan_my_aesni_edition and editing the code to compile your very own one with additional option. --enable-aesni
Problem is current one has an old version of CONFIGURE_ARGS which overwrites any modifications you add.
New contributor
add a comment |
try compiling from /usr/ports/security/strongswan port with copying strongswan to strongswan_my_aesni_edition and editing the code to compile your very own one with additional option. --enable-aesni
Problem is current one has an old version of CONFIGURE_ARGS which overwrites any modifications you add.
New contributor
try compiling from /usr/ports/security/strongswan port with copying strongswan to strongswan_my_aesni_edition and editing the code to compile your very own one with additional option. --enable-aesni
Problem is current one has an old version of CONFIGURE_ARGS which overwrites any modifications you add.
New contributor
New contributor
answered Jan 13 at 18:20
AndrewAndrew
111
111
New contributor
New contributor
add a comment |
add a comment |
StackShin is a new contributor. Be nice, and check out our Code of Conduct.
StackShin is a new contributor. Be nice, and check out our Code of Conduct.
StackShin is a new contributor. Be nice, and check out our Code of Conduct.
StackShin is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f494051%2ffreebsd-11-2-how-to-add-the-aesni-plugin-to-strongswan%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
It doesn't look like the aesni plugin exists for FreeBSD but I'm hoping i'm wrong...
– StackShin
Jan 12 at 2:14
Can you add a link to sources of this plugin?
– arrowd
Jan 12 at 7:06
1
Just a note: The aesni plugin only has an effect on IKE traffic (of which there is usually little). It won't improve the performance of actual IPsec traffic, which is handled by the kernel.
– ecdsa
2 days ago
@ecdsa If that's the case, what are my other options for increasing IPsec performance? I have another thread where the answer was parallelizing IPsec to use multiple cores. I have been unable to fund very much, if any, good documentation on how to do that on FreeBSD.
– StackShin
2 days ago
If you enabled AES-NI support in the kernel(s), you should definitely switch to AES-GCM (
esp=aes128gcm16
), otherwise the negotiated integrity algorithm will be a bottleneck. But for single connections there might be an upper limit (e.g. single threaded handling to prevent packet reordering).– ecdsa
yesterday