On 2007/01/15 09:39, Heinrich Rebehn wrote: > I thought about bying a vpn1411, but have read about problems with > corrupted mac, which don't seem to be resolved so far.
I only remember seeing posts about problems with encryption in user processes, not the kernel. If it is indeed reliable with kernel use, then you can set sysctl kern.usercrypto=0 and restrict use of the card to the kernel. However the Geode hardware platform has a weak PCI system relying in part on emulation in the CPU; this is the main cause of limited throughput on this hardware; depending on what sort of speeds you're trying to achieve, the accelerator may not be enough. If you disable IPsec and pass the amount of bandwidth you need to support through the system, you can watch top(1) and examine the cpu% spent handling interrupts; if there is not a reasonable amount free to handle the interrupts from the accelerator card, it won't help you. The systems using VIA processors are very much faster even without hardware AES support since they have a better PCI system; the models with accelerated encryption do so by using new CPU instructions, rather than a device which must be accessed over the PCI bus. There's far less overhead because of this. AMD Geode LX processors also have AES instructions on-CPU (for 128-bit, anyway) but they're not yet supported (-current has support for the random number generator, "AES to be added later"). Other hardware - Commell has been mentioned, Liantec are another option (some of their hardware is listed here: http://kd85.com/liantec.html), and of course there are others.
