[strongSwan] Different Crypto library

Andreas Steffen andreas.steffen at strongswan.org
Sun Sep 25 22:24:20 CEST 2011

You have to differentiate between IKE which relies on userland crypto
and ESP which requires kernel crypto. For kernel crypto only the kernel
crypto API of the Linux 2.6 kernel (k) can be used.

For userland crypto there are several alternatives. I personally
prefer the combination "gmp" and "openssl" which uses the very fast
GNU Multi-Precision library for big number operations and openssl
for everything else including elliptic curve cryptography.
Gcrypt is about two times slower for big number operations than
gmp and AF_ALG which offers a userland interface to the Linux 2.6
kernel crypto API has quite a large overhead in calling kernel
functions but has the advantage that e.g. only one crypto library has
to be certified and the userland might profit from hardware
acceleration made available by special kernel drivers.



On 09/25/2011 03:45 PM, nima chavooshi wrote:
> Hi
> I have found some details on different crypto library on this page:
> http://wiki.strongswan.org/projects/strongswan/wiki/IKEv2CipherSuites
> On this page there some explanation about supported crypto library as below:
>  x default built-in crypto library
>  o OpenSSL crypto library
>  g Gcrypt crypto library
>  a AF_ALG userland crypto API for Linux 2.6.38 kernel or newer
>  k Linux 2.6 kernel
> It means that every library itself implemented cryptography algorithm.
> Now my question is:
> Which crypto library is fast and more reliable? and which one do I use?
> Thanks in advance 

Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

More information about the Users mailing list