[strongSwan] Good information on adding custom ESP encryption
jyeagley at harris.com
Fri Apr 8 18:08:40 CEST 2016
Thank you for your response. From what I have read about Kernel-libipsec it is not recommended to be used on security gateways, is not optimized for performance (we have strict latency requirements), and buffers each packet in memory. Unfortunately those caveats are deal breakers. The crypto part of it has been purchased from a company so they are responsible for its working. I have been given the task of integrating it with IPSec to protect network traffic and I am not 100% how best to go about doing it. I have a rough idea that I have gathered from my research. I believe the only real way to do this is via a kernel module using the CrytpoAPI. It then has to be registered with the OS and strongStwan and can then be used by specifying esp=<name you gave it> in the ipsec.conf entry for the connection. Since I sent the email yesterday I was able to find a blog post newer than 2009 with a little more information (http://kernelspec.blogspot.com/2014/10/ipsec-implementation-in-linux-kernel.html). It is a very interesting read but it is not detailed enough to give me a clear path forward on how to go about completing my task. If you or anyone can help provide me with additional information I'd greatly appreciate it.
~Josiah s. Yeagley
From: Emeric POUPON [mailto:emeric.poupon at stormshield.eu]
Sent: Friday, April 08, 2016 3:42 AM
To: Yeagley, Josiah (U.S. Person) <jyeagley at harris.com>
Cc: users at lists.strongswan.org
Subject: Re: [strongSwan] Good information on adding custom ESP encryption
Depending on your goal, it may be easier to first implement and test this new algorithm in userland using the kernel-libipsec plugin?
More information about the Users