[strongSwan] difference between 'aes128' and 'aes128gcm8' notation in 'esp' cypher algo
Shahreen Ahmed
sahmed at adax.co.uk
Fri Jul 18 08:45:23 CEST 2014
Hello,
Waiting for a feedback on this.
Thanks,
Shahreen
On 17.07.2014 14:23, Shahreen Ahmed wrote:
> Hi all,
>
> I am trying to use aes-gcm crypto algorithm in my setup where the cpu
> has 'aes' instruction enabled and the relevant drivers are loaded:
>
> lsmod | grep -e aes -e gcm
> gcm 10857 0
> aesni_intel 12915 4
> cryptd 8006 4 ghash_clmulni_intel,aesni_intel
> aes_x86_64 7961 1 aesni_intel
> aes_generic 27609 2 aesni_intel,aes_x86_64
>
> I compiled Strongswan with --enable-gcm and added the 'gcm' plugin in
> the strongswan.conf file.
>
> If I use 'aes128gcm8' as 'esp' in ipsec.conf I get poor performance
> (60% less throughput on UDP traffic) than using only 'aes128'.
>
> My question is :
>
> 1) with only 'aes128' what integrity algo does it actually use?
>
> 2) To enable and use 'aes128gcm8' effectively (as expecting better
> throughput) do I need to take any extra steps than the above?
>
> I tried with using PRF for GCM resulting no improvement.
>
> Thanks,
> Shahreen
More information about the Users
mailing list