Background
AES-NI is Intel's dedicated instruction set, which significantly improves the speed of Encrypt-Decrypt actions, which allows to increase VPN throughput (Site-to-Site, Remote Access and Mobile Access). The general speed of the system depends on additional parameters.
Refer to sk105119: Best Practices - VPN Performance.
vSEC Virtual Edition (VE) Gateway on VMware ESX fully supports AES-NI.
Prerequisites
- ESX needs to run over a server, whose CPU supports the AES-NI
- The vSEC Virtual Edition (VE) Gateway should run Gaia OS with 64-bit kernel (refer to sk94627)
- The underlying hypervisor exposes the AES-NI capability (see the instructions below)
How to check if AES-NI capability is exposed to Virtual Machine
-
Power On the vSEC Gateway Virtual Machine on ESXi server.
-
Connect to command line on vSEC Virtual Edition (VE) Gateway.
-
Log in to Expert mode.
-
Run the following command:
[Expert@HostName:0]# dmesg | grep "AES-NI"
Possible Output |
Is AES-NI capability exposed to VM? |
VPN-1: AES-NI is allowed on this machine. Testing hardware support
VPN-1: AES-NI is not supported on this hardware
|
No |
VPN-1: AES-NI is allowed on this machine. Testing hardware support
VPN-1: AES-NI is supported on this hardware
|
Yes |
How to expose the AES-NI capability to Virtual Machine
Note: One reason to mask the CPU capabilities is to allow vMotion from a machine that has a certain CPU capability to a machine that does not.
-
Power Off the vSEC Virtual Edition (VE) Gateway Virtual Machine.
-
Go to vSphere Client.
-
In the vSphere Client inventory, right-click on the Virtual Machine - select Edit Settings... - the Virtual Machine Properties window opens.
-
Go to Options tab - in the Advanced section, click on CPUID Mask - click on Advanced... button - the CPU Identification Mask window opens.
Reference: Change CPU Identification Mask Settings in the vSphere Client
Example:

-
Go to Virtual Machine Default tab - scroll down to Level 1 section - click on ecx.
Example:

-
Copy the entire string from Final Mask field - paste it in the ecx field.
Example:

-
In the ecx field, go to the 7th flag from the right - change it to H - you should see that Final Mask changes as well.
Note: For explanation about the flags, click on Legend... button.
Example:

-
Click on OK to close the CPU Identification Mask window.
-
Click on OK to close the Virtual Machine Properties window.
-
Power On the vSEC Virtual Edition (VE) Gateway Virtual Machine.
-
Connect to command line on vSEC Virtual Edition (VE) Gateway.
-
Log in to Expert mode.
-
Run the following command:
[Expert@HostName:0]# dmesg | grep "AES-NI"
Output should be:
VPN-1: AES-NI is allowed on this machine. Testing hardware support
VPN-1: AES-NI is supported on this hardware
|
This solution is about products that are no longer supported and it will not be updated
|