Troy,
It's not a dumb question. I just figured it out myself. In the connection
defaults, or in the specific connection you want to use aes, just add
esp=aes. Of course the ipsec-aes.o module must be loaded.
Roger
Troy Aden <Troy.Aden
@VCom.com>
04/14/2004 10:13 AM
To: Roger E McClurg/CEG/[EMAIL PROTECTED], Charles Steinkuehler
<[EMAIL PROTECTED]>
cc: [EMAIL PROTECTED]
Subject: RE: [leaf-user] Bering 1.2 Throughput Test Results
I am sure this question is a silly one but here it goes.
How do I go about changing the Encryption algorithm in Freeswan IPSec?
I am using Bering Uclibc 2.0. I am using FreeSwan IPSec with PSK's for my
connections. I did not see anything in the procedures for changing the
encryption algorithms that this package uses. I am assuming that I would
add
the module (ipsec_aes.o) to /lib/modules/. But can anyone please tell me
the
command that I need to put in the IPSec config file to tell it
specifically
what algorithm to use?
Thanks in advance!
Troy
Here is what my config looks like:
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
interfaces=%defaultroute
# Debug-logging controls: "none" for (almost) none, "all" for
lots.
klipsdebug=none
plutodebug=none
# Use auto= parameters in conn descriptions to control startup
actions.
plutoload=%search
plutostart=%search
# Close down old connection when new one using same ID shows up.
uniqueids=yes
# defaults for subsequent connection descriptions
conn %default
# How persistent to be in (re)keying negotiations (0 means very).
keyingtries=0
# RSA authentication with keys from DNS.
authby=secret
right=132.125.107.155
rightsubnet=192.168.55.0/16
rightnexthop=132.125.107.254
pfs=yes
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
conn troy
left=139.145.45.166
leftsubnet=10.10.65.0/24
leftnexthop=139.145.45.129
auto=start
Here is what comes up when I start a connection:
ipsec whack --initiate --name test
002 "troy" #152: initiating Main Mode
104 "troy" #152: STATE_MAIN_I1: initiate
106 "troy" #152: STATE_MAIN_I2: sent MI2, expecting MR2
108 "troy" #152: STATE_MAIN_I3: sent MI3, expecting MR3
002 "troy" #152: Main mode peer ID is ID_IPV4_ADDR: '139.145.45.166'
002 "troy" #152: ISAKMP SA established
004 "troy" #152: STATE_MAIN_I4: ISAKMP SA established
002 "troy" #153: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK
117 "troy" #153: STATE_QUICK_I1: initiate
002 "troy" #153: sent QI2, IPsec SA established
004 "troy" #153: STATE_QUICK_I2: sent QI2, IPsec SA established
-----Original Message-----
From: Roger E McClurg [mailto:[EMAIL PROTECTED]
Sent: Wednesday, April 14, 2004 7:13 AM
To: Charles Steinkuehler
Cc: [EMAIL PROTECTED]
Subject: Re: [leaf-user] Bering 1.2 Throughput Test Results
My apologies. I should have looked before I asked. It is in the Bering
modules, right where it should be.
Roger
-=-=-=--=-=-=-=-=-=-=-=
Charles,
I'd love to run the tests. Where can I find the ipsec_aes.o module for
Bering 1.2?
Roger
Charles Steinkuehler <charles
@steinkuehler.net>
04/13/2004 04:13 PM
To: Roger E McClurg/CEG/[EMAIL PROTECTED]
cc: [EMAIL PROTECTED]
Subject: Re: [leaf-user] Bering 1.2 Throughput Test Results
Roger E McClurg wrote:
<snip>
> The next test was to FTP from the PC connected to the OpenBrick E to the
> PC connected to a 500 Mhz P III running Bering 1.2. The transfer rate
was
> only 12.67 Mb/sec. The 3DES IPSEC encryption was certainly taking it's
> toll.
>
> Next we replaced both Bering machines with Nortel Contivity 1500 VPN
> devices. The Contivity is a popular VPN concentrator for small branch
> offices. It was designed specifically for the purpose of a VPN
> concentrator. Imagine our surprise when the Contivity transfer rate was
> only 4.45 Mb/sec. The Bering boxes were running weblet, shorewall,
> dnscache, dhcpd, ssh, sshd, sftp, snmp, and snmpd in addition to IPSEC,
> and yet they were almost three times faster than commercial VPN
> concentrators.
If you want to have a bit more fun, switch your IPSec links to the new
AES (ipsec_aes.o) encryption algorithm. Designed to be more friendly to
modern CPU's with wide registers and SIMD (Single Instruction Multiple
Data) instruction sets (3DES is optimized for hardware, and doesn't
translate nicely into a byte/word oriented general-purpose CPU
algorithm), you should see a substantial increase in your transfer rates.
3DES is usually not much of a bottleneck (even with the 'slow' Nortel
devices), as usually the upstream WAN link is substantially slower than
the potential CPU throughput when compressing, but if you've got fast
pipes, you'll notice a drastic difference by choosing an alternate
encryption scheme.
--
Charles Steinkuehler
[EMAIL PROTECTED]
-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
