Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
The Something Awful Forums > Discussion > Serious Hardware/Software Crap > IPsec ciphers, we need some more acronyms
 
  • Locked thread
Prescription Combs
Apr 20, 2005
   6
Most of my co-workers hate AnyConnect. I love setting it up, it's so easy...

It's always something hurf durf ipsec blah blah old ways. The thing that stinks about it, which I think may be changing, is the licensing. Especially if you want mobile phones to work on Anyconnect you need the 'for mobile' licence.

* # ¿ Apr 17, 2015 22:15
  • Quote
Adbot
ADBOT LOVES YOU

# ¿ Apr 25, 2024 10:54
  • Quote
Prescription Combs
Apr 20, 2005
   6

MrMoo posted:

IKEv1 only permits tunneling of a single VLAN unless you are using a proprietary Cisco extension. IKEv2 permits multiple networks in leftsubnet= and rightsubnet= parameters. The typical workaround for this is to use multiple connections or to add L2TP above IPsec, i.e. a level 2 tunneling protocol above a single IPsec connection. On Linux this adds two additional processes I believe - xl2tpd and pppd. You could use GRE or any other IP-in-IP encapsulation protocol but IPsec + L2TP is the standard combination.

ChromeOS only supports OpenVPN or IPsec + L2TP (StrongSwan + xl2tpd).

iOS supports IPsec (Racoon), PPTP (GRE), IPsec + L2TP, and OpenVPN (via a special app). IKEv2 requires usage of Apple's enterprise system prep tool. A lot of the tools are new C++ rewrites by Apple so expect less feature parity and compatibility.

I think you're just used to awful linux IPSec implementations.

Why the hell does strongswan use 'leftsubnet' / 'rightsubnet'? What is the frame of reference? That is confusing as gently caress.

* # ¿ May 2, 2015 07:51
  • Quote
Prescription Combs
Apr 20, 2005
   6

MrMoo posted:

Per RFC 4306 it appears the enhancement in IKEv2 is multiple traffic selectors (and narrowing) within a single child SA.

Ya but you can have multiple SAs to the same peer as long as you aren't using a terrible IPSec implementation device.

* # ¿ May 3, 2015 05:55
  • Quote
Prescription Combs
Apr 20, 2005
   6

Tyren posted:

Side note - MS (and others) plan to deprecate SHA1 very soon (circa 2016). While we don't see SHA2 often, I'm guessing we'll see more alternatives to SHA1 in the near future.

https://www.schneier.com/blog/archives/2013/11/microsoft_retir.html


SHA1 has pretty much been deprecated by the popular browsers. Most certs have been re-keyed with SHA256.

Edit: I'm legitimately excited to see software solutions starting to utilize the AES/AES-NI extensions :monar:

Prescription Combs fucked around with this message at 01:22 on May 5, 2015

* # ¿ May 5, 2015 01:18
  • Quote
Prescription Combs
Apr 20, 2005
   6
Are those numbers packets per second? If so that's fast as hell.

Edit: Oh I see, openSSL 'speed' benchmarks.


On my i5-2500K

code:
OpenSSL> speed -evp aes-128-cbc aes-256-cbc camellia-128-cbc
Doing aes-256 cbc for 3s on 16 size blocks: 17380960 aes-256 cbc's in 3.00s
Doing aes-256 cbc for 3s on 64 size blocks: 4710371 aes-256 cbc's in 3.00s
Doing aes-256 cbc for 3s on 256 size blocks: 1191494 aes-256 cbc's in 3.00s
Doing aes-256 cbc for 3s on 1024 size blocks: 299249 aes-256 cbc's in 3.00s
Doing aes-256 cbc for 3s on 8192 size blocks: 37441 aes-256 cbc's in 3.00s
Doing camellia-128 cbc for 3s on 16 size blocks: 22247823 camellia-128 cbc's in 3.00s
Doing camellia-128 cbc for 3s on 64 size blocks: 8415460 camellia-128 cbc's in 3.00s
Doing camellia-128 cbc for 3s on 256 size blocks: 2383579 camellia-128 cbc's in 3.00s
Doing camellia-128 cbc for 3s on 1024 size blocks: 615498 camellia-128 cbc's in 3.00s
Doing camellia-128 cbc for 3s on 8192 size blocks: 77781 camellia-128 cbc's in 2.99s
Doing aes-128-cbc for 3s on 16 size blocks: 146106823 aes-128-cbc's in 2.99s
Doing aes-128-cbc for 3s on 64 size blocks: 38846021 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 256 size blocks: 9868240 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 1024 size blocks: 2477179 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 8192 size blocks: 309895 aes-128-cbc's in 3.00s
OpenSSL 1.0.1k-fips 8 Jan 2015
built on: Thu Mar 19 17:34:17 2015

The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-256 cbc      92698.45k   100487.91k   101674.15k   102143.66k   102238.89k
camellia-128 cbc   118655.06k   179529.81k   203398.74k   210089.98k   213104.33k
aes-128-cbc     781842.53k   828715.11k   842089.81k   845543.77k   846219.95k
Neat.

Prescription Combs fucked around with this message at 04:27 on May 12, 2015

* # ¿ May 12, 2015 03:57
  • Quote
  • Locked thread
The Something Awful Forums > Discussion > Serious Hardware/Software Crap > IPsec ciphers, we need some more acronyms