On Fri, 2019-03-08 at 10:27 +0000, David Woodhouse wrote:
> On Fri, 2019-03-08 at 10:24 +0000, Nikos Mavrogiannopoulos wrote:
> > Hi,
> > If you are using rhel with ipsec I would suggest to contact redhat
> > at access.redhat.com. this list is about openconnect an ssl vpn.
>
> The Juniper and Palo Alto protocols supported by OpenConnect really
> do
> use IPSec. I think Tony is in the right place.
>
> We should make it do Cisco IPSec too, and obsolete vpnc :)
[resending because the original was rejected]
Ok, so it was meant ESP. That makes sense. I remember that we had
discussed in the past on using the kernel ESP, but I do not remember
whether that was feasible, or too complicated.
Nevertheless on the crypto side, openconnect's ESP support is based on
CBC ciphers which are quite slow. Over TLS the difference (using
gnutls-cli --benchmark-tls-ciphers) is quite significant for small
packets (on my home pc):
AES-128-CBC - TLS1.0 0.25 GB/sec
AES-128-GCM - TLS1.2 0.97 GB/sec
That's still significantly greater than 15Mb/sec.
Tony, what's the output of gnutls-cli --benchmark-tls-ciphers on that
platform? The implementation is not the same as openconnect's ESP but
the performance should be similar.
regards,
Nikos
_______________________________________________
openconnect-devel mailing list
openconnect-devel@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/openconnect-devel
