On Tue, Sep 06, 2005 at 01:56:56PM +0000, Alaa Dalghan wrote: > Hello everyone, > I need to modify some CRYPTOGRAPHY code in Linux Kernel to get a specific > VPN behavior, but I don't know where to start. <snip> > Each packet sent from a given client to the other get processed 4 times > (encryption at the sender, decryption at the gateway, encryption at the > gateway, decryption at the receiver). This is the normal behavior but it > imposes too much processing overhead on the linux VPN gateway. The required > behavior is that the VPN gateway just RELAYS encrypted data (ESP envelopes) > without decrypting them. This is impossible in the current ipsec > implementation since"the end of a tunnel HAS ALWAYS to be decrypted". Umm, if I understand correctly, unless each tunnel is using the same keys, the decrypt and reencrypt ends up with *different* data. So just skipping the decrypt won't work, you'll just end up sending packets which the other end can't read. If your using the same keys, perhaps the kernal can see that, I don't know... Hope this helps, -- Martijn van Oosterhout <kleptog@xxxxxxxxx> http://svana.org/kleptog/ > Patent. n. Genius is 5% inspiration and 95% perspiration. A patent is a > tool for doing 5% of the work and then sitting around waiting for someone > else to do the other 95% so you can sue them.
Attachment:
pgpeOymSavSXL.pgp
Description: PGP signature