Boosting IPsec and VPN Performance in pfSense Software with IIMB

OpenCrypto Framework (OCF) in FreeBSD abstracts the underlying cryptography implementation by providing a set of API functions for in-kernel data encryption, decryption and hashing. The drivers of these functions come from a variety of cryptographic providers which range from software instructions to hardware accelerators.

This paper describes the utility of an engine which replaces OCF and its integration of Intel Multi-Buffer Crypto for IPsec Library (IIMB) as the provider for AES-GCM, AES-CBC and ChaCha20-Poly1305 ciphers, offering reduced CPU overhead and significantly improved performance of pfSense supported VPNs. The solution was developed for both x86-64 and ARM-64 architectures.