Project

General

Profile

Actions
Copy link

Bug #15149

closed

Hardware Crypto showing No Hardware Crypto Acceleration for system with crypto chip installed

Added by Jonathan Lee 9 months ago. Updated 9 months ago.

Status:
Not a Bug
Priority:
Normal
Assignee:
-
Category:
OpenVPN
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Release Notes:
Default
Affected Plus Version:
23.09.1
Affected Architecture:
SG-2100

Description

The Hardware Crypto is no longer showing up under OpenVPN configuration. My Netgate appliance has a crypto chip installed from Negate it no longer is being listing for OpenVPN use

Files

Download all files
Screenshot 2024-01-08 at 5.22.57 PM.png (472 KB) Screenshot 2024-01-08 at 5.22.57 PM.png Not listed was in 23.05.01 Jonathan Lee, 01/09/2024 01:26 AM
Screenshot 2024-01-08 at 5.28.16 PM.png (285 KB) Screenshot 2024-01-08 at 5.28.16 PM.png Crypt chip installed Jonathan Lee, 01/09/2024 01:29 AM
1704769488892-screenshot-2024-01-08-at-6.57.28-pm.png (166 KB) 1704769488892-screenshot-2024-01-08-at-6.57.28-pm.png Jonathan Lee, 01/10/2024 11:26 PM
Screenshot 2024-01-10 152418.png (60.6 KB) Screenshot 2024-01-10 152418.png ID error not present in 23.05.01 Jonathan Lee, 01/10/2024 11:28 PM
Actions
Copy link
 #2

Updated by Jonathan Lee 9 months ago

New firmware was installed also same issue

Actions
Copy link
 #3

Updated by Jim Pingle 9 months ago

  • Status changed from New to Not a Bug

The OpenVPN crypto hardware choice is not relevant and hasn't done anything meaningful in years. It should probably be removed.

If the dashboard shows it's present/active, it will be used when possible (e.g. with OpenVPN+DCO)

Actions
Copy link
 #4

Updated by Jonathan Lee 9 months ago

Is there anything I can do because I have the older 2100 that has this chip, I understand the new 2100 does not come with one. It can still be useful correct if it is enabled? I am using DOC and have it active in the system. It did function or appeared to on 23.05.01. I just hate to see that chip not be used when it’s on an official Netgate appliance. I noticed the rack equipment and others use a crypt chip or card. Is this a version thing? I remember the you were working on the SMID commands a while back. If you need anything tested I have a system that is set up to use it.

Actions
Copy link
 #5

Updated by Jim Pingle 9 months ago

If it's shown on the dashboard as active, and there is kernel encryption happening on the VPN (e.g. OpenVPN DCO, IPsec, WireGuard) and it's using one of the ciphers listed on the dashboard, then it would be used by the kernel automatically. You do not need to do anything extra.

You have both IPsec-MB and The crypto chip active so it's going to use whichever of those two methods supports the algorithm chosen for the VPN.

Actions
Copy link
 #6

Updated by Jonathan Lee 9 months ago

@Jim Pingle 

dco_update_peer_stat: invalid peer ID 0 returned by kernel

shows when using the crypto chip it's not getting to that ID..

It should go automatically it never showed this in 23.05.01

Please see attached the chip is not being used in my 2100 that was purchased with acceleration.

Actions
Copy link
 #7

Updated by Jonathan Lee 9 months ago

25.05.01 It has no issues with that ID

Actions
Copy link

Also available in: Atom PDF