Hi
I have a VPN from OpenWrt to Fritz!Box. Setup was a little tricky, but finally I got it working. I´m using VPNC. But now I have a performance problem. When I use Shrew Soft VPN Client on my Windows computer to connect to Fritz!Box, speed is somewhere between 8-10 MBits. 10 MBits is link speed, so no problem on Fritz!Box side. When I connect with OpenWrt (running on PC Engines ALIX), VPN speed is round about 3 MBits and CPU of ALIX seems to be the bottleneck, because load is >1.
The question now is, is it possible to change the encryption to AES-128? Because Geode LX CPU of ALIX has hardware support for AES-128. Driver for "geode_aes" is loaded and accessible.
root@OpenWrt:~# lsmod | grep aes
geode_aes 12288 11
As you can see, geode_aes is used 11 times (WiFi?). No matter if VPNC is up and running or not. Hopefully I can speed up VPNC this way.
Many thanks in advance!
That is what I want to have. But how to tell VPNC to use AES-128 instead whatever it's using now? As I understand, VPNC is using highest encryption possible for both ends. This is AES-256 maybe? Now I have to tell VPNC to use AES-128, because that's the only one ALIX CPU can do in hardware.
I'm afraid that this may require a server administration.
You must edit server settings and lower them to AES128. But client doesn't have settings to configure them so only server parameters can be changed.
Server is AVM Fritz!Box 7412 with FritzOS in this case. I doubt there is anything to configure, at least I couldn´t find anything relatet to VPN encryption. What you can configure is, you can check a checkbox next to your username to activate VPN for this user. After save&apply, Fritz!Box tells you how to connect with client. That´s everything. This is why I´m asking here. Because OpenWrt ist "open", it should be more easy to make changes on this end of the VPN. Technically it doesn´t matter, because both ends uses max encryption both are capable of. So if I change on either end to AES-128, it should work and "geode_aes" can do it´s job.
At VPNC Homepage you can read that VPNC is capable of AES-128.
Supported Authentications: Hybrid, Pre-Shared-Key + XAUTH, Pre-Shared-Key
Supported IKE DH-Groups: dh1 dh2 dh5
Supported Hash Algo (IKE/IPSEC): md5 sha1
Supported Encryptions (IKE/IPSEC): (null) (1des) 3des aes128 aes192 aes256
Perfect Forward Secrecy: nopfs dh1 dh2 dh5
At Fritz!Box Homepage you can read that Fritz!Box 7412 is also capable of AES-128
Unterstützte IPSec-Algorithmen für IKE-Phase 1:
Verschlüsselungsverfahren:
AES mit 256 Bit, 192 Bit, 128 Bit
Triple-DES mit 168 Bit
DES mit 56 Bit
Hash-Algorithmus:
SHA2-512
SHA1
MD5-96
Schlüsselvereinbarung:
initial Diffie-Hellman 1024 Bit (DH-Gruppe 2), danach auch 768 Bit (DH-Gruppe 1), 1536 Bit (DH-Gruppe 5), 20148 Bit (DH-Gruppe 14) und 3072 Bit (DH-Gruppe 15)
Unterstützte IPSec-Algorithmen für IKE-Phase 2:
Verschlüsselungsverfahren:
AES mit 256 Bit, 192 Bit, 128 Bit
Triple-DES mit 168 Bit
DES mit 56 Bit
Hash-Algorithmus:
SHA2-512
SHA1
MD5-96
Schlüsselvereinbarung:
Die Diffie-Hellman-Gruppe wird durch IKE-Phase 1 bestimmt
Kompression:
kein
LZJH
Deflate
Sorry, the latter is in german. But I think it´s clear. Since both ends are capable of AES-256 also, this is (should?) the encryption in use.
But sadly I can´t find the screw to tell that AES-128 is the one and only my hardware is capable of.