[strongSwan] charon RSA tunnel setup speed hints?
Richard Andrews
richard.andrews at symstream.com
Tue Aug 14 00:35:21 CEST 2012
On Mon, 2012-08-13 at 20:47 +0200, Andreas Steffen wrote:
> Hi Rich,
>
> IKEv2 spends most of its time (more than 80%) in public key
> computations (DH exchange and RSA signature generation).
>
> One way to accelerate the generation of the public DH factor
> without compromising security is the strongswan.conf setting
>
> libstrongswan {
> dh_exponent_ansi_x9_42 = no
> }
Does this require agreement between left and right peers?
> If you want still more big number acceleration then you
> would need a hardware accelerator with an OpenSSL engine
> interface.
>
> With more than 2000 tunnels linear search of the IKE SAs
> gets very slow. Read our HOWTO telling you to how to use hash
> tables to speed up the search:
>
> http://wiki.strongswan.org/projects/strongswan/wiki/IkeSaTable
Hash table looks important.
I had anecdotally noticed that the tunnel setups seem to get slower as
the test start-up progresses. This would be consistent with linear
search on an increasing list size.
--
Rich
More information about the Users
mailing list