[strongSwan] ipsec tunnel failover

Hi, I have the following setup, A - has two tunnels one to B(acting as Primary) and another to C(acting as backup). i am looking for a way to gracefully switch the data traffic from B to C by keeping both tunnels active. A <--> B A <--> C Is there a way i can the keep a

[strongSwan] Replay window upper limit

Hi, What is the upper limit on replay window size ? i didn't find any documentation on upper limit. is it dependent on Hardware, if so how to find the limit After a certain limit, i am having some problem with IPsec connection. *replay_window = -1 | * The IPsec replay window size for this

Re: [strongSwan] Pcrypt module usage

Hi All, Can you please provide your input on this ? Regards Kapil. On Fri, Aug 5, 2016 at 10:13 PM, Kapil Adhikesavalu <kapil20...@gmail.com> wrote: > With the below steps I don't see any performance improvements in ipsec in > a multicore HW. Is there anything I am missing? > &

Re: [strongSwan] Pcrypt module usage

With the below steps I don't see any performance improvements in ipsec in a multicore HW. Is there anything I am missing? Thanks Kapil On 04-Aug-2016 5:37 PM, "Kapil Adhikesavalu" <kapil20...@gmail.com> wrote: Hello, I am getting the following errors while trying pcrypt. From

[strongSwan] Pcrypt module usage

Hello, I am getting the following errors while trying pcrypt. From the wiki page, i see when tcrypt is used, "modprobe: ERROR: could not insert 'tcrypt': Resource temporarily unavailable" is an expected. I am getting a different error, please let me know if this fine. The /proc/crypto logs in

[strongSwan] Pcrypt module config flag is incorrect

Hi Folks, i see in strongswan pcrypt page, to enable pcrypt you guys have asked to enable CONFIG_PCRYPT. but the correct flag is CONFIG_CRYPTO_PCRYPT. can you guys please correct this ? https://github.com/torvalds/linux/blob/master/crypto/Makefile obj-$(CONFIG_CRYPTO_PCRYPT) += pcrypt.o

Re: [strongSwan] aes256gcm12 is not working for me

> > It seems that our EC2 instance is on that kernel. > > On Wed, Jun 22, 2016 at 8:42 AM, Kapil Adhikesavalu <kapil20...@gmail.com> > wrote: > >> Hi Sandeep, >> >> Are you by any chance using intel_aesni klm (check /proc/crypto) ? If so, >> aesgcm256 is not suppor

Re: [strongSwan] aes256gcm12 is not working for me

Hi Sandeep, Are you by any chance using intel_aesni klm (check /proc/crypto) ? If so, aesgcm256 is not supported until kernel 4.1. Otherwise you can check the logs to see for any errors. Related to GCM256 - https://wiki.strongswan.org/issues/341 Thanks Kapil On 22-Jun-2016 7:12 AM, "sandeep

Re: [strongSwan] Enabling AES-NI in strongswan

Hi Jeff, Thanks for the info, couple of questions , 1. However there was a bug in pre 4.1 kernels where AES-NI does not work right for GCM operations. kapil : can you point me to On Mon, Jun 20, 2016 at 12:31 PM, Jeff Leung wrote: > > Hi, > > > > i am looking for

[strongSwan] Enabling AES-NI in strongswan

Hi, i am looking for ways to improve the throughput while using the strongswan IPSEC. I read that AES-GCM provides excellent throughput over default AES-CBC-128 when used with AES-NI support in intel processors. i want to enable AES-GCM128 cipher in my xeon E5 processor, and from looking at the