On Mar 30, 2012, at 10:16 PM, Dewey Hylton wrote: > i'm getting ready to implement a few new site-to-site vpns using openbsd, and am on the hunt for appropriate hardware. i have several alix (geode) and lanner (intel atom) boxes working wonderfully as firewalls and routers, but neither type are able to provide enough throughput when ipsec is added to their roles. > > the lanner boxes can't accept add-in cards. the alix can accept a minipci, and i know that soekris makes a crypto accelerator (hifn?) that may help - but i'm not sure that'll be enough oompf either. our site-to-site link will provide up to 20Mbps, but the lanner box is topping out at 3.3Mbps with ipsec and the alix is at 1.5Mbps. > > can anyone point me to a matrix of hardware types and their crypto performance benchmarks with openbsd, or at least make recommendations based on real-world use? > > i'm using defaults for my ipsec configuration, so this is what i'm testing with: auth hmac-sha2-256 enc aes > > thanks for your time. >
Even if you get hifn or CPU-resident AES-NI, the heavy lifting is done for hmac-stuff (according to the list). This is where you need the power, but hw-acceleration is not there. You might want to get a faster CPU for hmac and preferably AES-NI CPU. Else you have to accept the slow link. //mxb
