This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is UTM 9 able to utilize Hardware AES-NI ?

I am looking into dedicated Home UTM Hardware. There is a dual atom board with Hardware AES-NI.

I use Site2Site and RED Connections alot with a vServer and would need 100 Mbit+ throughput. 

Anybody got any experience with that? (Either using an ATOM or Hardware AES-NI)



This thread was automatically locked due to age.
  • Yes, but, to my knowledge, the only IPsec encryption algorithms that use it presently are those with GCM. I would choose "AES 128 GCM (128 bits)" if the other side can match that.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • sorry to dig out such an old thread, i did some testing on this

    i tested with an i5-2400 and 5250u processor with sophos utm 9.503-4.

    With Site2Site via IPsec i was able to achieve between 600-800 Mbit/s via all AES Policies, not just the GCM. I will do some more testing over the next days when time permits.

    OpenVPN always seem to rely on pure CPU unaccelerated, but i will post some results here.

    Edit: Confirmed. OpenVPN does not use AES_NI , IPSec does regardless which AES cipher is used.

    ---

    Sophos UTM 9.3 Certified Engineer

  • Ben, did you experiment with AES-128-CBC selected for OpenVPN?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • yes, it seems openvpn is not configured to use aes-ni at all. only ipsec s2s does. RED isn't using AES_NI either.

     

    I suspect that it would be trivial for sophos to enable AES-NI support for OpenVPN (not sure about RED)

    ---

    Sophos UTM 9.3 Certified Engineer