FreeBSD 11.2: how to add the aesni plugin to strongswan?












0















I installed strongswan using



pkg install strongswan


But now I've realized I need to have the aesni plugin enabled to optimize my IPsec tunnel. I've already enabled aesni at the OS level. The strongswan instructions say it's best to do at compile time but since I installed via pkg I'm hoping to avoid that.










share|improve this question







New contributor




StackShin is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





















  • It doesn't look like the aesni plugin exists for FreeBSD but I'm hoping i'm wrong...

    – StackShin
    Jan 12 at 2:14











  • Can you add a link to sources of this plugin?

    – arrowd
    Jan 12 at 7:06






  • 1





    Just a note: The aesni plugin only has an effect on IKE traffic (of which there is usually little). It won't improve the performance of actual IPsec traffic, which is handled by the kernel.

    – ecdsa
    2 days ago











  • @ecdsa If that's the case, what are my other options for increasing IPsec performance? I have another thread where the answer was parallelizing IPsec to use multiple cores. I have been unable to fund very much, if any, good documentation on how to do that on FreeBSD.

    – StackShin
    2 days ago











  • If you enabled AES-NI support in the kernel(s), you should definitely switch to AES-GCM (esp=aes128gcm16), otherwise the negotiated integrity algorithm will be a bottleneck. But for single connections there might be an upper limit (e.g. single threaded handling to prevent packet reordering).

    – ecdsa
    yesterday
















0















I installed strongswan using



pkg install strongswan


But now I've realized I need to have the aesni plugin enabled to optimize my IPsec tunnel. I've already enabled aesni at the OS level. The strongswan instructions say it's best to do at compile time but since I installed via pkg I'm hoping to avoid that.










share|improve this question







New contributor




StackShin is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





















  • It doesn't look like the aesni plugin exists for FreeBSD but I'm hoping i'm wrong...

    – StackShin
    Jan 12 at 2:14











  • Can you add a link to sources of this plugin?

    – arrowd
    Jan 12 at 7:06






  • 1





    Just a note: The aesni plugin only has an effect on IKE traffic (of which there is usually little). It won't improve the performance of actual IPsec traffic, which is handled by the kernel.

    – ecdsa
    2 days ago











  • @ecdsa If that's the case, what are my other options for increasing IPsec performance? I have another thread where the answer was parallelizing IPsec to use multiple cores. I have been unable to fund very much, if any, good documentation on how to do that on FreeBSD.

    – StackShin
    2 days ago











  • If you enabled AES-NI support in the kernel(s), you should definitely switch to AES-GCM (esp=aes128gcm16), otherwise the negotiated integrity algorithm will be a bottleneck. But for single connections there might be an upper limit (e.g. single threaded handling to prevent packet reordering).

    – ecdsa
    yesterday














0












0








0








I installed strongswan using



pkg install strongswan


But now I've realized I need to have the aesni plugin enabled to optimize my IPsec tunnel. I've already enabled aesni at the OS level. The strongswan instructions say it's best to do at compile time but since I installed via pkg I'm hoping to avoid that.










share|improve this question







New contributor




StackShin is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.












I installed strongswan using



pkg install strongswan


But now I've realized I need to have the aesni plugin enabled to optimize my IPsec tunnel. I've already enabled aesni at the OS level. The strongswan instructions say it's best to do at compile time but since I installed via pkg I'm hoping to avoid that.







freebsd ipsec plugin strongswan






share|improve this question







New contributor




StackShin is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











share|improve this question







New contributor




StackShin is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









share|improve this question




share|improve this question






New contributor




StackShin is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









asked Jan 12 at 1:26









StackShinStackShin

1




1




New contributor




StackShin is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





New contributor





StackShin is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






StackShin is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.













  • It doesn't look like the aesni plugin exists for FreeBSD but I'm hoping i'm wrong...

    – StackShin
    Jan 12 at 2:14











  • Can you add a link to sources of this plugin?

    – arrowd
    Jan 12 at 7:06






  • 1





    Just a note: The aesni plugin only has an effect on IKE traffic (of which there is usually little). It won't improve the performance of actual IPsec traffic, which is handled by the kernel.

    – ecdsa
    2 days ago











  • @ecdsa If that's the case, what are my other options for increasing IPsec performance? I have another thread where the answer was parallelizing IPsec to use multiple cores. I have been unable to fund very much, if any, good documentation on how to do that on FreeBSD.

    – StackShin
    2 days ago











  • If you enabled AES-NI support in the kernel(s), you should definitely switch to AES-GCM (esp=aes128gcm16), otherwise the negotiated integrity algorithm will be a bottleneck. But for single connections there might be an upper limit (e.g. single threaded handling to prevent packet reordering).

    – ecdsa
    yesterday



















  • It doesn't look like the aesni plugin exists for FreeBSD but I'm hoping i'm wrong...

    – StackShin
    Jan 12 at 2:14











  • Can you add a link to sources of this plugin?

    – arrowd
    Jan 12 at 7:06






  • 1





    Just a note: The aesni plugin only has an effect on IKE traffic (of which there is usually little). It won't improve the performance of actual IPsec traffic, which is handled by the kernel.

    – ecdsa
    2 days ago











  • @ecdsa If that's the case, what are my other options for increasing IPsec performance? I have another thread where the answer was parallelizing IPsec to use multiple cores. I have been unable to fund very much, if any, good documentation on how to do that on FreeBSD.

    – StackShin
    2 days ago











  • If you enabled AES-NI support in the kernel(s), you should definitely switch to AES-GCM (esp=aes128gcm16), otherwise the negotiated integrity algorithm will be a bottleneck. But for single connections there might be an upper limit (e.g. single threaded handling to prevent packet reordering).

    – ecdsa
    yesterday

















It doesn't look like the aesni plugin exists for FreeBSD but I'm hoping i'm wrong...

– StackShin
Jan 12 at 2:14





It doesn't look like the aesni plugin exists for FreeBSD but I'm hoping i'm wrong...

– StackShin
Jan 12 at 2:14













Can you add a link to sources of this plugin?

– arrowd
Jan 12 at 7:06





Can you add a link to sources of this plugin?

– arrowd
Jan 12 at 7:06




1




1





Just a note: The aesni plugin only has an effect on IKE traffic (of which there is usually little). It won't improve the performance of actual IPsec traffic, which is handled by the kernel.

– ecdsa
2 days ago





Just a note: The aesni plugin only has an effect on IKE traffic (of which there is usually little). It won't improve the performance of actual IPsec traffic, which is handled by the kernel.

– ecdsa
2 days ago













@ecdsa If that's the case, what are my other options for increasing IPsec performance? I have another thread where the answer was parallelizing IPsec to use multiple cores. I have been unable to fund very much, if any, good documentation on how to do that on FreeBSD.

– StackShin
2 days ago





@ecdsa If that's the case, what are my other options for increasing IPsec performance? I have another thread where the answer was parallelizing IPsec to use multiple cores. I have been unable to fund very much, if any, good documentation on how to do that on FreeBSD.

– StackShin
2 days ago













If you enabled AES-NI support in the kernel(s), you should definitely switch to AES-GCM (esp=aes128gcm16), otherwise the negotiated integrity algorithm will be a bottleneck. But for single connections there might be an upper limit (e.g. single threaded handling to prevent packet reordering).

– ecdsa
yesterday





If you enabled AES-NI support in the kernel(s), you should definitely switch to AES-GCM (esp=aes128gcm16), otherwise the negotiated integrity algorithm will be a bottleneck. But for single connections there might be an upper limit (e.g. single threaded handling to prevent packet reordering).

– ecdsa
yesterday










1 Answer
1






active

oldest

votes


















1














try compiling from /usr/ports/security/strongswan port with copying strongswan to strongswan_my_aesni_edition and editing the code to compile your very own one with additional option. --enable-aesni



Problem is current one has an old version of CONFIGURE_ARGS which overwrites any modifications you add.






share|improve this answer








New contributor




Andrew is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.




















    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "106"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });






    StackShin is a new contributor. Be nice, and check out our Code of Conduct.










    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f494051%2ffreebsd-11-2-how-to-add-the-aesni-plugin-to-strongswan%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    1














    try compiling from /usr/ports/security/strongswan port with copying strongswan to strongswan_my_aesni_edition and editing the code to compile your very own one with additional option. --enable-aesni



    Problem is current one has an old version of CONFIGURE_ARGS which overwrites any modifications you add.






    share|improve this answer








    New contributor




    Andrew is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.

























      1














      try compiling from /usr/ports/security/strongswan port with copying strongswan to strongswan_my_aesni_edition and editing the code to compile your very own one with additional option. --enable-aesni



      Problem is current one has an old version of CONFIGURE_ARGS which overwrites any modifications you add.






      share|improve this answer








      New contributor




      Andrew is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.























        1












        1








        1







        try compiling from /usr/ports/security/strongswan port with copying strongswan to strongswan_my_aesni_edition and editing the code to compile your very own one with additional option. --enable-aesni



        Problem is current one has an old version of CONFIGURE_ARGS which overwrites any modifications you add.






        share|improve this answer








        New contributor




        Andrew is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.










        try compiling from /usr/ports/security/strongswan port with copying strongswan to strongswan_my_aesni_edition and editing the code to compile your very own one with additional option. --enable-aesni



        Problem is current one has an old version of CONFIGURE_ARGS which overwrites any modifications you add.







        share|improve this answer








        New contributor




        Andrew is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.









        share|improve this answer



        share|improve this answer






        New contributor




        Andrew is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.









        answered Jan 13 at 18:20









        AndrewAndrew

        111




        111




        New contributor




        Andrew is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.





        New contributor





        Andrew is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.






        Andrew is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.






















            StackShin is a new contributor. Be nice, and check out our Code of Conduct.










            draft saved

            draft discarded


















            StackShin is a new contributor. Be nice, and check out our Code of Conduct.













            StackShin is a new contributor. Be nice, and check out our Code of Conduct.












            StackShin is a new contributor. Be nice, and check out our Code of Conduct.
















            Thanks for contributing an answer to Unix & Linux Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f494051%2ffreebsd-11-2-how-to-add-the-aesni-plugin-to-strongswan%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            How to make a Squid Proxy server?

            Is this a new Fibonacci Identity?

            19世紀