‐‐‐ Original Message ‐‐‐
On Thursday, June 13, 2019 10:46 PM, Stuart Henderson
wrote:
> 4.9.0.6 does have it enabled by default. I'm not sure about the 4.0.x releases
> and don't want to reboot mine to check now either :)
Finally managed to reboot my firewall box and so I can confirm
On 13 Jun 2019, at 22:46, Stuart Henderson wrote:
On 2019/06/13 20:08, mabi wrote:
‐‐‐ Original Message ‐‐‐
On Wednesday, June 12, 2019 10:26 PM, Stuart Henderson
wrote:
If you're on an old BIOS revision for the APU (more than a couple of
months old), try updating, they have
On 2019/06/13 20:08, mabi wrote:
> ‐‐‐ Original Message ‐‐‐
> On Wednesday, June 12, 2019 10:26 PM, Stuart Henderson
> wrote:
>
> > If you're on an old BIOS revision for the APU (more than a couple of
> > months old), try updating, they have enabled "core performance boost"
> > which
‐‐‐ Original Message ‐‐‐
On Wednesday, June 12, 2019 10:26 PM, Stuart Henderson
wrote:
> If you're on an old BIOS revision for the APU (more than a couple of
> months old), try updating, they have enabled "core performance boost"
> which increases speed of a single core if the others
On 2019-06-12, Stuart Henderson wrote:
> If you're on an old BIOS revision for the APU (more than a couple of
> months old), try updating, they have enabled "core performance boost"
> which increases speed of a single core if the others are not under
> heavy load.
>
> I haven't done network
If you're on an old BIOS revision for the APU (more than a couple of
months old), try updating, they have enabled "core performance boost"
which increases speed of a single core if the others are not under
heavy load.
I haven't done network benchmarks but there is a noticable improvement
in some
‐‐‐ Original Message ‐‐‐
On Wednesday, June 12, 2019 11:34 AM, Daniel Gracia wrote:
> Those look like reasonable numbers for the given scenario. Improving
> your IPsec bandwidth would take more horsepower than an APU box.
> Improving site-to-site encrypted VPN speed, asuming two APU
Those look like reasonable numbers for the given scenario. Improving
your IPsec bandwidth would take more horsepower than an APU box.
Improving site-to-site encrypted VPN speed, asuming two APU boxes,
would require switching from IPsec to something like a WireGuard VPN,
available on -current as a
‐‐‐ Original Message ‐‐‐
On Tuesday, June 11, 2019 1:04 PM, Christian Weisgerber
wrote:
> > childsa enc aes-128-gcm
>
> Correct.
For reference I now changed the childsa encryption cipher to aes-128-gcm and
get 93 Mbit/s throughput instead of the 80 Mbit/s I saw with aes-256.
Better
mabi:
> Last question hopefully... Reading the iked.conf man page I conclude that all
> I need for that is to add to my ikev2 config is the following additional
> parameter:
>
> childsa enc aes-128-gcm
Correct.
--
Christian "naddy" Weisgerber na...@mips.inka.de
‐‐‐ Original Message ‐‐‐
On Monday, June 10, 2019 7:09 PM, Christian Weisgerber
wrote:
> No "auth". AES-GCM is an authenticated encryption algorithm, i.e.,
> it handles both encryption and authentication at the same time.
> Specifying an additional "auth" algorithm doesn't make sense.
‐‐‐ Original Message ‐‐‐
On Monday, June 10, 2019 7:09 PM, Christian Weisgerber
wrote:
> No "auth". AES-GCM is an authenticated encryption algorithm, i.e.,
> it handles both encryption and authentication at the same time.
> Specifying an additional "auth" algorithm doesn't make sense.
mabi:
> > enc aes-128-gcm etc.
>
> That part for the "enc" parameter makes sense to me but what about the "auth"
> parameter?
No "auth". AES-GCM is an authenticated encryption algorithm, i.e.,
it handles both encryption and authentication at the same time.
Specifying an additional "auth"
‐‐‐ Original Message ‐‐‐
On Monday, June 10, 2019 6:00 PM, Christian Weisgerber
wrote:
> enc aes-128-gcm etc.
That part for the "enc" parameter makes sense to me but what about the "auth"
parameter? Would you keep the default hmac-sha2-256? or which combination with
the "enc
mabi:
> Thanks for the tip regarding the cpu cost of the authentication algorithm.
> Now I was wondering how do you use the AES-GCM combo? I can't find any auth
> or enc parameters mentioning that combo.
enc aes-128-gcm etc.
--
Christian "naddy" Weisgerber
‐‐‐ Original Message ‐‐‐
On Monday, June 10, 2019 4:49 PM, Christian Weisgerber
wrote:
> It helps to understand that the authentication algorithm can require
> as much or more CPU than the encryption. HMAC-SHA2 is expensive.
> On hardware that has AES-NI support, like the APU2 family,
On 2019-06-10, mabi wrote:
> Bypassing the IPsec tunnel I get around 500 Mbit/s of bandwidth throughput
> which is quite satisfying. The bandwidth throughput over my IPsec tunnel
> achieves a max of 80 Mbit/s which I was sort of expecting with the default
> encryption settings (auth
Hi,
I am currently testing a PC Engines APU4C4 with OpenBSD 6.5 and iked for an
IPsec tunnnel between two sites which both have 1 Gbit/s uplink.
Bypassing the IPsec tunnel I get around 500 Mbit/s of bandwidth throughput
which is quite satisfying. The bandwidth throughput over my IPsec tunnel
18 matches
Mail list logo
