On 2019-01-21, Radek <alee...@gmail.com> wrote: > ikev2 quick active esp from $local_gw to $remote_gw \ > from $local_lan to $remote_lan peer $remote_gw \ > ikesa auth hmac-sha1 enc aes-128 prf hmac-sha1 group modp1024 \ > childsa enc aes-128-ctr \ > psk "pass" > > That increased VPN throughput up to 750KB/s but it is still too slow.
A net5501 is very slow by today's standards. I don't remember if that speed is expected. Assuming that encryption/decryption is the actual bottleneck: The phase 1 negotiation (ikesa) is only used when the encrypted channel is set up. Tweaking the parameters there has no effect on the performance of the actual data transfer, which is instead determined by the phase 2 (childsa) algorithms. The Geode LX CPU in the net5501 offers hardware acceleration for AES-128-CBC and nothing else. Not AES-192 or -256, not CTR mode. You can combine this with the cheapest authentication available, which is HMAC-MD5. The HMAC construction is not affected by the known vulnerabilities of MD5. In short, I'd use "childsa enc aes-128 auth hmac-md5" for maximum throughput on this hardware. -- Christian "naddy" Weisgerber na...@mips.inka.de
