FreeBSD 11.2: how to add the aesni plugin to strongswan?
Clash Royale CLAN TAG#URR8PPP
I installed strongswan using
pkg install strongswan
But now I've realized I need to have the aesni plugin enabled to optimize my IPsec tunnel. I've already enabled aesni at the OS level. The strongswan instructions say it's best to do at compile time but since I installed via pkg I'm hoping to avoid that.
freebsd ipsec plugin strongswan
|
show 1 more comment
I installed strongswan using
pkg install strongswan
But now I've realized I need to have the aesni plugin enabled to optimize my IPsec tunnel. I've already enabled aesni at the OS level. The strongswan instructions say it's best to do at compile time but since I installed via pkg I'm hoping to avoid that.
freebsd ipsec plugin strongswan
It doesn't look like the aesni plugin exists for FreeBSD but I'm hoping i'm wrong...
– StackShin
Jan 12 at 2:14
Can you add a link to sources of this plugin?
– arrowd
Jan 12 at 7:06
1
Just a note: The aesni plugin only has an effect on IKE traffic (of which there is usually little). It won't improve the performance of actual IPsec traffic, which is handled by the kernel.
– ecdsa
Jan 14 at 9:36
@ecdsa If that's the case, what are my other options for increasing IPsec performance? I have another thread where the answer was parallelizing IPsec to use multiple cores. I have been unable to fund very much, if any, good documentation on how to do that on FreeBSD.
– StackShin
Jan 14 at 17:22
If you enabled AES-NI support in the kernel(s), you should definitely switch to AES-GCM (esp=aes128gcm16
), otherwise the negotiated integrity algorithm will be a bottleneck. But for single connections there might be an upper limit (e.g. single threaded handling to prevent packet reordering).
– ecdsa
Jan 15 at 10:49
|
show 1 more comment
I installed strongswan using
pkg install strongswan
But now I've realized I need to have the aesni plugin enabled to optimize my IPsec tunnel. I've already enabled aesni at the OS level. The strongswan instructions say it's best to do at compile time but since I installed via pkg I'm hoping to avoid that.
freebsd ipsec plugin strongswan
I installed strongswan using
pkg install strongswan
But now I've realized I need to have the aesni plugin enabled to optimize my IPsec tunnel. I've already enabled aesni at the OS level. The strongswan instructions say it's best to do at compile time but since I installed via pkg I'm hoping to avoid that.
freebsd ipsec plugin strongswan
freebsd ipsec plugin strongswan
asked Jan 12 at 1:26
StackShinStackShin
1
1
It doesn't look like the aesni plugin exists for FreeBSD but I'm hoping i'm wrong...
– StackShin
Jan 12 at 2:14
Can you add a link to sources of this plugin?
– arrowd
Jan 12 at 7:06
1
Just a note: The aesni plugin only has an effect on IKE traffic (of which there is usually little). It won't improve the performance of actual IPsec traffic, which is handled by the kernel.
– ecdsa
Jan 14 at 9:36
@ecdsa If that's the case, what are my other options for increasing IPsec performance? I have another thread where the answer was parallelizing IPsec to use multiple cores. I have been unable to fund very much, if any, good documentation on how to do that on FreeBSD.
– StackShin
Jan 14 at 17:22
If you enabled AES-NI support in the kernel(s), you should definitely switch to AES-GCM (esp=aes128gcm16
), otherwise the negotiated integrity algorithm will be a bottleneck. But for single connections there might be an upper limit (e.g. single threaded handling to prevent packet reordering).
– ecdsa
Jan 15 at 10:49
|
show 1 more comment
It doesn't look like the aesni plugin exists for FreeBSD but I'm hoping i'm wrong...
– StackShin
Jan 12 at 2:14
Can you add a link to sources of this plugin?
– arrowd
Jan 12 at 7:06
1
Just a note: The aesni plugin only has an effect on IKE traffic (of which there is usually little). It won't improve the performance of actual IPsec traffic, which is handled by the kernel.
– ecdsa
Jan 14 at 9:36
@ecdsa If that's the case, what are my other options for increasing IPsec performance? I have another thread where the answer was parallelizing IPsec to use multiple cores. I have been unable to fund very much, if any, good documentation on how to do that on FreeBSD.
– StackShin
Jan 14 at 17:22
If you enabled AES-NI support in the kernel(s), you should definitely switch to AES-GCM (esp=aes128gcm16
), otherwise the negotiated integrity algorithm will be a bottleneck. But for single connections there might be an upper limit (e.g. single threaded handling to prevent packet reordering).
– ecdsa
Jan 15 at 10:49
It doesn't look like the aesni plugin exists for FreeBSD but I'm hoping i'm wrong...
– StackShin
Jan 12 at 2:14
It doesn't look like the aesni plugin exists for FreeBSD but I'm hoping i'm wrong...
– StackShin
Jan 12 at 2:14
Can you add a link to sources of this plugin?
– arrowd
Jan 12 at 7:06
Can you add a link to sources of this plugin?
– arrowd
Jan 12 at 7:06
1
1
Just a note: The aesni plugin only has an effect on IKE traffic (of which there is usually little). It won't improve the performance of actual IPsec traffic, which is handled by the kernel.
– ecdsa
Jan 14 at 9:36
Just a note: The aesni plugin only has an effect on IKE traffic (of which there is usually little). It won't improve the performance of actual IPsec traffic, which is handled by the kernel.
– ecdsa
Jan 14 at 9:36
@ecdsa If that's the case, what are my other options for increasing IPsec performance? I have another thread where the answer was parallelizing IPsec to use multiple cores. I have been unable to fund very much, if any, good documentation on how to do that on FreeBSD.
– StackShin
Jan 14 at 17:22
@ecdsa If that's the case, what are my other options for increasing IPsec performance? I have another thread where the answer was parallelizing IPsec to use multiple cores. I have been unable to fund very much, if any, good documentation on how to do that on FreeBSD.
– StackShin
Jan 14 at 17:22
If you enabled AES-NI support in the kernel(s), you should definitely switch to AES-GCM (
esp=aes128gcm16
), otherwise the negotiated integrity algorithm will be a bottleneck. But for single connections there might be an upper limit (e.g. single threaded handling to prevent packet reordering).– ecdsa
Jan 15 at 10:49
If you enabled AES-NI support in the kernel(s), you should definitely switch to AES-GCM (
esp=aes128gcm16
), otherwise the negotiated integrity algorithm will be a bottleneck. But for single connections there might be an upper limit (e.g. single threaded handling to prevent packet reordering).– ecdsa
Jan 15 at 10:49
|
show 1 more comment
1 Answer
1
active
oldest
votes
try compiling from /usr/ports/security/strongswan port with copying strongswan to strongswan_my_aesni_edition and editing the code to compile your very own one with additional option. --enable-aesni
Problem is current one has an old version of CONFIGURE_ARGS which overwrites any modifications you add.
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f494051%2ffreebsd-11-2-how-to-add-the-aesni-plugin-to-strongswan%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
try compiling from /usr/ports/security/strongswan port with copying strongswan to strongswan_my_aesni_edition and editing the code to compile your very own one with additional option. --enable-aesni
Problem is current one has an old version of CONFIGURE_ARGS which overwrites any modifications you add.
add a comment |
try compiling from /usr/ports/security/strongswan port with copying strongswan to strongswan_my_aesni_edition and editing the code to compile your very own one with additional option. --enable-aesni
Problem is current one has an old version of CONFIGURE_ARGS which overwrites any modifications you add.
add a comment |
try compiling from /usr/ports/security/strongswan port with copying strongswan to strongswan_my_aesni_edition and editing the code to compile your very own one with additional option. --enable-aesni
Problem is current one has an old version of CONFIGURE_ARGS which overwrites any modifications you add.
try compiling from /usr/ports/security/strongswan port with copying strongswan to strongswan_my_aesni_edition and editing the code to compile your very own one with additional option. --enable-aesni
Problem is current one has an old version of CONFIGURE_ARGS which overwrites any modifications you add.
answered Jan 13 at 18:20
AndrewAndrew
211
211
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f494051%2ffreebsd-11-2-how-to-add-the-aesni-plugin-to-strongswan%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
It doesn't look like the aesni plugin exists for FreeBSD but I'm hoping i'm wrong...
– StackShin
Jan 12 at 2:14
Can you add a link to sources of this plugin?
– arrowd
Jan 12 at 7:06
1
Just a note: The aesni plugin only has an effect on IKE traffic (of which there is usually little). It won't improve the performance of actual IPsec traffic, which is handled by the kernel.
– ecdsa
Jan 14 at 9:36
@ecdsa If that's the case, what are my other options for increasing IPsec performance? I have another thread where the answer was parallelizing IPsec to use multiple cores. I have been unable to fund very much, if any, good documentation on how to do that on FreeBSD.
– StackShin
Jan 14 at 17:22
If you enabled AES-NI support in the kernel(s), you should definitely switch to AES-GCM (
esp=aes128gcm16
), otherwise the negotiated integrity algorithm will be a bottleneck. But for single connections there might be an upper limit (e.g. single threaded handling to prevent packet reordering).– ecdsa
Jan 15 at 10:49