Feature #7738


Highlight which IPSec (or other VPN) crypto modes are hardware-accelerated in the UI

Added by Adam Thompson over 6 years ago. Updated over 4 years ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:
Plus Target Version:
Release Notes:


I've found it VERY difficult to determine precisely which combinations of ciphers and MACs will be hardware-accelerated, when configuring an IPSec tunnel.

The "Hardware cryto" entry in the dashboard's System Info gadget helps a bit, but not enough to really tell me which combinations to use.
To anyone not an expert in the sub-field, it's not at all obvious that "AES-CBC" translates to "AES" on the IPSec page. Nor whether "AES-GCM" covers all of "AES128-GCM", "AES192-GCM" and "AES256-GCM", for example. And it doesn't help at all when picking a hash algorithm. I've figured out that if I use "AESxxx-GCM" I can use "AES-XCBC" as the hash

I can see two possible options to make people configuring VPNs happier:

1) extend the existing dashboard widget (or turn it into its own gadget) to show precisely which ciphers would be hardware-accelerated. (I imagine that this would be a fairly large [combinatorial] list.)

2) when selecting ciphers and hashes in the IPSec (or elsewhere) UI, indicate to the user whether the hash, the cipher, or both, will be hardware accelerated or not.

3) I suppose this could also be solved with better documentation, but who does that nowadays? ;-) (Um, if it's actually in the pfSense book, I haven't found it yet. That would mean this should be a bug report instead.)

Actions #1

Updated by Jim Pingle over 4 years ago

  • Category set to IPsec

I'm not sure if we can do this. A lot of this is hardware-dependent, and unfortunately, OpenSSL 1.1.1 seems to have made it more difficult to tell what is accelerated (See #9646) So unless we keep a manual list of which chips support which ciphers, it might not be possible.


Also available in: Atom PDF