Support Center > Search Results > SecureKnowledge Details
vSEC Virtual Edition (VE) Gateway support for AES-NI on VMware ESX
Solution

Background

AES-NI is Intel's dedicated instruction set, which significantly improves the speed of Encrypt-Decrypt actions, which allows to increase VPN throughput (Site-to-Site, Remote Access and Mobile Access). The general speed of the system depends on additional parameters.

Refer to sk105119: Best Practices - VPN Performance.

vSEC Virtual Edition (VE) Gateway on VMware ESX fully supports AES-NI.

 

Prerequisites

  • ESX needs to run over a server, whose CPU supports the AES-NI
  • The vSEC Virtual Edition (VE) Gateway should run Gaia OS with 64-bit kernel (refer to sk94627)
  • The underlying hypervisor exposes the AES-NI capability (see the instructions below)

 

How to check if AES-NI capability is exposed to Virtual Machine

  1. Power On the vSEC Gateway Virtual Machine on ESXi server.

  2. Connect to command line on vSEC Virtual Edition (VE) Gateway.

  3. Log in to Expert mode.

  4. Run the following command:

    [Expert@HostName:0]# dmesg | grep "AES-NI"

    Possible
    Output    		 Is AES-NI capability
    exposed to VM?    		 
    VPN-1: AES-NI is allowed on this machine. Testing hardware support
VPN-1: AES-NI is not supported on this hardware
    		No 
    VPN-1: AES-NI is allowed on this machine. Testing hardware support
VPN-1: AES-NI is supported on this hardware
    		Yes

 

How to expose the AES-NI capability to Virtual Machine

Note: One reason to mask the CPU capabilities is to allow vMotion from a machine that has a certain CPU capability to a machine that does not.

  1. Power Off the vSEC Virtual Edition (VE) Gateway Virtual Machine.

  2. Go to vSphere Client.

  3. In the vSphere Client inventory, right-click on the Virtual Machine - select Edit Settings... - the Virtual Machine Properties window opens.

  4. Go to Options tab - in the Advanced section, click on CPUID Mask - click on Advanced... button - the CPU Identification Mask window opens.

    Reference: Change CPU Identification Mask Settings in the vSphere Client

    Example:

  5. Go to Virtual Machine Default tab - scroll down to Level 1 section - click on ecx.

    Example:

  6. Copy the entire string from Final Mask field - paste it in the ecx field.

    Example:

  7. In the ecx field, go to the 7th flag from the right - change it to H - you should see that Final Mask changes as well.

    Note: For explanation about the flags, click on Legend... button.

    Example:

  8. Click on OK to close the CPU Identification Mask window.

  9. Click on OK to close the Virtual Machine Properties window.

  10. Power On the vSEC Virtual Edition (VE) Gateway Virtual Machine.

  11. Connect to command line on vSEC Virtual Edition (VE) Gateway.

  12. Log in to Expert mode.

  13. Run the following command:

    [Expert@HostName:0]# dmesg | grep "AES-NI"

    Output should be:

    VPN-1: AES-NI is allowed on this machine. Testing hardware support
VPN-1: AES-NI is supported on this hardware

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment