Use aesgcm16 instead of aes256?

Printable View

04-24-2020, 07:05 AM
ensnare

Use aesgcm16 instead of aes256?

Hi guys -- Happy Untangle user here. When configuring a site-to-site tunnel, the only esp option is AES which is AES-CBC. The multithreaded and more efficient AES-GCM encryption algorithm is not an option.

If I manually edit /etc/ipsec.conf and change:

esp=aes256-sha1-modp2048!

to

esp=aes256gcm16-sha1-modp2048!

Site-to-site throughput jumps 3x and CPU utilization drops.

Of course when I reboot the config is lost. Any way I can get this change to be persistent? Or perhaps add an option for AES-GCM through the UI :). Thank you!
04-24-2020, 07:29 AM
jcoffin

Thanks for the post. We will look into it.
04-25-2020, 05:49 PM
jcoffin

Jira ticket for tracking.

https://jira.untangle.com/browse/NGFW-13056
04-26-2020, 05:05 AM
ensnare

That's great, thanks. I also see a performance boost when I use the aesxcbc integrity algorithm, also AES-NI accelerated, as opposed to sha1.

esp=aes256gcm16-aesxcbc-modp2048!

Provides maximal site-to-site performance between our two sites.
06-22-2020, 10:23 AM
zac1333

Also interested in this option as well
07-23-2020, 01:41 PM
ensnare

Tested & works in 16 beta. You guys are awesome.

All times are GMT -7. The time now is 08:57 AM.

© Untangle, Inc. All Rights Reserved.

SEO by vBSEO 3.6.0 PL2