[strongSwan] Does strongswan (5.0.4) have any options to cache and reuse the diffie-hellman keys?
Martin Willi
martin at strongswan.org
Tue Dec 3 09:43:41 CET 2013
Hi,
> The Diffe Hellman exchange consists of CPU-intensive operations like
> key-pair generation and shared-secret generation. Does strongswan
> (5.0.4) have any options to cache and reuse the diffie-hellman keys for
> enhanced IKE setup rate?
What an implementation can do is to reuse Diffie-Hellman exponentials
for multiple exchanges. strongSwan currently does not support that, but
always uses fresh exponentials, as it has some implications to the
perfect forward secrecy properties of the protocol.
Instead, I'd recommend to make sure you have set
libstrongswan.dh_exponent_ansi_x9_42 = no. Or even better, switch to
ECDH, which is significantly faster.
Regards
Martin
More information about the Users
mailing list