Hi, thank you for suggestions, took me some time to think about them and reply here.
On Fri, 11 Aug 2023 14:19:44 -0000 (UTC) Stuart Henderson <stu.li...@spacehopper.org> wrote: > If you post your IPsec configuration, perhaps someone can suggest > whether the choice of ciphers etc could be improved. It can make > quite a difference. I have just recently bumped quick enc from aes-128-gcm to aes-256-gcm, as well as group from modp3072 to ecp256: ike passive esp transport proto gre from $me to $peer \ main auth hmac-sha2-256 enc aes-256 group ecp256 lifetime 24h \ quick enc aes-256-gcm group ecp256 lifetime 8h I have also increased lifetime from default values because I was getting quite a lot of INVALID COOKIE messages from isakmpd: isakmpd[51306]: message_recv: invalid cookie(s) cookiea cookieb isakmpd[51306]: dropped message from $peer port 500 due to notification type INVALID_COOKIE On Sat, 12 Aug 2023 12:17:36 +1000 David Gwynne <da...@gwynne.id.au> wrote: > The things you can do Right Now(tm) are: > > - upgrade to -current > > the pf purge code has been taken out from under the big kernel lock. > if you have a lot of pf states, this will give more time to crypto. I have ~50,000 states during peak time. I can't go -current, but I will look forward to 7.4. I also read the following articles on undeadly.org: https://undeadly.org/cgi?action=article;sid=20230807094305 https://undeadly.org/cgi?action=article;sid=20230706115843 Once 7.4 hits, is it expected that changing gre/ipsec to sec(4) could make positive difference in throughput on same hardware? > - pick faster crypto algorithms I posted mine above, I would be thankful to get latest recommendation. > - try wireguard? I am testing replacing a few of gre/ipsec with wg interfaces on 7.3 at the moment. Main problem I am encountering so far is the fact that `ospfctl reload` does not seem to pick newly added (to ospfd.conf) wg interfaces. `ospfctl sh int` shows them in DOWN state after reload, and no OSPFv2-hello packets are being sent until `rcctl restart ospfd`. It is quite unmaintainable to have to restart ospfd every time wg interfaces are added or removed from ospfd.conf. Any way around it? Perhaps on some later releases this will improve? Or am I doing it wrong? I have more questions about wireguard but I guess I should better ask them in another topic. Thank you in advance, -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
