FreeBSD 11.2: how to add the aesni plugin to strongswan?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP












0















I installed strongswan using



pkg install strongswan


But now I've realized I need to have the aesni plugin enabled to optimize my IPsec tunnel. I've already enabled aesni at the OS level. The strongswan instructions say it's best to do at compile time but since I installed via pkg I'm hoping to avoid that.










share|improve this question






















  • It doesn't look like the aesni plugin exists for FreeBSD but I'm hoping i'm wrong...

    – StackShin
    Jan 12 at 2:14











  • Can you add a link to sources of this plugin?

    – arrowd
    Jan 12 at 7:06






  • 1





    Just a note: The aesni plugin only has an effect on IKE traffic (of which there is usually little). It won't improve the performance of actual IPsec traffic, which is handled by the kernel.

    – ecdsa
    Jan 14 at 9:36











  • @ecdsa If that's the case, what are my other options for increasing IPsec performance? I have another thread where the answer was parallelizing IPsec to use multiple cores. I have been unable to fund very much, if any, good documentation on how to do that on FreeBSD.

    – StackShin
    Jan 14 at 17:22











  • If you enabled AES-NI support in the kernel(s), you should definitely switch to AES-GCM (esp=aes128gcm16), otherwise the negotiated integrity algorithm will be a bottleneck. But for single connections there might be an upper limit (e.g. single threaded handling to prevent packet reordering).

    – ecdsa
    Jan 15 at 10:49















0















I installed strongswan using



pkg install strongswan


But now I've realized I need to have the aesni plugin enabled to optimize my IPsec tunnel. I've already enabled aesni at the OS level. The strongswan instructions say it's best to do at compile time but since I installed via pkg I'm hoping to avoid that.










share|improve this question






















  • It doesn't look like the aesni plugin exists for FreeBSD but I'm hoping i'm wrong...

    – StackShin
    Jan 12 at 2:14











  • Can you add a link to sources of this plugin?

    – arrowd
    Jan 12 at 7:06






  • 1





    Just a note: The aesni plugin only has an effect on IKE traffic (of which there is usually little). It won't improve the performance of actual IPsec traffic, which is handled by the kernel.

    – ecdsa
    Jan 14 at 9:36











  • @ecdsa If that's the case, what are my other options for increasing IPsec performance? I have another thread where the answer was parallelizing IPsec to use multiple cores. I have been unable to fund very much, if any, good documentation on how to do that on FreeBSD.

    – StackShin
    Jan 14 at 17:22











  • If you enabled AES-NI support in the kernel(s), you should definitely switch to AES-GCM (esp=aes128gcm16), otherwise the negotiated integrity algorithm will be a bottleneck. But for single connections there might be an upper limit (e.g. single threaded handling to prevent packet reordering).

    – ecdsa
    Jan 15 at 10:49













0












0








0








I installed strongswan using



pkg install strongswan


But now I've realized I need to have the aesni plugin enabled to optimize my IPsec tunnel. I've already enabled aesni at the OS level. The strongswan instructions say it's best to do at compile time but since I installed via pkg I'm hoping to avoid that.










share|improve this question














I installed strongswan using



pkg install strongswan


But now I've realized I need to have the aesni plugin enabled to optimize my IPsec tunnel. I've already enabled aesni at the OS level. The strongswan instructions say it's best to do at compile time but since I installed via pkg I'm hoping to avoid that.







freebsd ipsec plugin strongswan






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Jan 12 at 1:26









StackShinStackShin

1




1












  • It doesn't look like the aesni plugin exists for FreeBSD but I'm hoping i'm wrong...

    – StackShin
    Jan 12 at 2:14











  • Can you add a link to sources of this plugin?

    – arrowd
    Jan 12 at 7:06






  • 1





    Just a note: The aesni plugin only has an effect on IKE traffic (of which there is usually little). It won't improve the performance of actual IPsec traffic, which is handled by the kernel.

    – ecdsa
    Jan 14 at 9:36











  • @ecdsa If that's the case, what are my other options for increasing IPsec performance? I have another thread where the answer was parallelizing IPsec to use multiple cores. I have been unable to fund very much, if any, good documentation on how to do that on FreeBSD.

    – StackShin
    Jan 14 at 17:22











  • If you enabled AES-NI support in the kernel(s), you should definitely switch to AES-GCM (esp=aes128gcm16), otherwise the negotiated integrity algorithm will be a bottleneck. But for single connections there might be an upper limit (e.g. single threaded handling to prevent packet reordering).

    – ecdsa
    Jan 15 at 10:49

















  • It doesn't look like the aesni plugin exists for FreeBSD but I'm hoping i'm wrong...

    – StackShin
    Jan 12 at 2:14











  • Can you add a link to sources of this plugin?

    – arrowd
    Jan 12 at 7:06






  • 1





    Just a note: The aesni plugin only has an effect on IKE traffic (of which there is usually little). It won't improve the performance of actual IPsec traffic, which is handled by the kernel.

    – ecdsa
    Jan 14 at 9:36











  • @ecdsa If that's the case, what are my other options for increasing IPsec performance? I have another thread where the answer was parallelizing IPsec to use multiple cores. I have been unable to fund very much, if any, good documentation on how to do that on FreeBSD.

    – StackShin
    Jan 14 at 17:22











  • If you enabled AES-NI support in the kernel(s), you should definitely switch to AES-GCM (esp=aes128gcm16), otherwise the negotiated integrity algorithm will be a bottleneck. But for single connections there might be an upper limit (e.g. single threaded handling to prevent packet reordering).

    – ecdsa
    Jan 15 at 10:49
















It doesn't look like the aesni plugin exists for FreeBSD but I'm hoping i'm wrong...

– StackShin
Jan 12 at 2:14





It doesn't look like the aesni plugin exists for FreeBSD but I'm hoping i'm wrong...

– StackShin
Jan 12 at 2:14













Can you add a link to sources of this plugin?

– arrowd
Jan 12 at 7:06





Can you add a link to sources of this plugin?

– arrowd
Jan 12 at 7:06




1




1





Just a note: The aesni plugin only has an effect on IKE traffic (of which there is usually little). It won't improve the performance of actual IPsec traffic, which is handled by the kernel.

– ecdsa
Jan 14 at 9:36





Just a note: The aesni plugin only has an effect on IKE traffic (of which there is usually little). It won't improve the performance of actual IPsec traffic, which is handled by the kernel.

– ecdsa
Jan 14 at 9:36













@ecdsa If that's the case, what are my other options for increasing IPsec performance? I have another thread where the answer was parallelizing IPsec to use multiple cores. I have been unable to fund very much, if any, good documentation on how to do that on FreeBSD.

– StackShin
Jan 14 at 17:22





@ecdsa If that's the case, what are my other options for increasing IPsec performance? I have another thread where the answer was parallelizing IPsec to use multiple cores. I have been unable to fund very much, if any, good documentation on how to do that on FreeBSD.

– StackShin
Jan 14 at 17:22













If you enabled AES-NI support in the kernel(s), you should definitely switch to AES-GCM (esp=aes128gcm16), otherwise the negotiated integrity algorithm will be a bottleneck. But for single connections there might be an upper limit (e.g. single threaded handling to prevent packet reordering).

– ecdsa
Jan 15 at 10:49





If you enabled AES-NI support in the kernel(s), you should definitely switch to AES-GCM (esp=aes128gcm16), otherwise the negotiated integrity algorithm will be a bottleneck. But for single connections there might be an upper limit (e.g. single threaded handling to prevent packet reordering).

– ecdsa
Jan 15 at 10:49










1 Answer
1






active

oldest

votes


















1














try compiling from /usr/ports/security/strongswan port with copying strongswan to strongswan_my_aesni_edition and editing the code to compile your very own one with additional option. --enable-aesni



Problem is current one has an old version of CONFIGURE_ARGS which overwrites any modifications you add.






share|improve this answer






















    Your Answer








    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "106"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader:
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    ,
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );













    draft saved

    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f494051%2ffreebsd-11-2-how-to-add-the-aesni-plugin-to-strongswan%23new-answer', 'question_page');

    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    1














    try compiling from /usr/ports/security/strongswan port with copying strongswan to strongswan_my_aesni_edition and editing the code to compile your very own one with additional option. --enable-aesni



    Problem is current one has an old version of CONFIGURE_ARGS which overwrites any modifications you add.






    share|improve this answer



























      1














      try compiling from /usr/ports/security/strongswan port with copying strongswan to strongswan_my_aesni_edition and editing the code to compile your very own one with additional option. --enable-aesni



      Problem is current one has an old version of CONFIGURE_ARGS which overwrites any modifications you add.






      share|improve this answer

























        1












        1








        1







        try compiling from /usr/ports/security/strongswan port with copying strongswan to strongswan_my_aesni_edition and editing the code to compile your very own one with additional option. --enable-aesni



        Problem is current one has an old version of CONFIGURE_ARGS which overwrites any modifications you add.






        share|improve this answer













        try compiling from /usr/ports/security/strongswan port with copying strongswan to strongswan_my_aesni_edition and editing the code to compile your very own one with additional option. --enable-aesni



        Problem is current one has an old version of CONFIGURE_ARGS which overwrites any modifications you add.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Jan 13 at 18:20









        AndrewAndrew

        211




        211



























            draft saved

            draft discarded
















































            Thanks for contributing an answer to Unix & Linux Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid


            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.

            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f494051%2ffreebsd-11-2-how-to-add-the-aesni-plugin-to-strongswan%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown






            Popular posts from this blog

            How to check contact read email or not when send email to Individual?

            Displaying single band from multi-band raster using QGIS

            How many registers does an x86_64 CPU actually have?