User Tools

Site Tools


doc:howto:vpn.ipsec.basics

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
doc:howto:vpn.ipsec.basics [2013/05/05 11:49]
birnenschnitzel
doc:howto:vpn.ipsec.basics [2014/03/23 07:07] (current)
jaf323
Line 1: Line 1:
 ====== IPsec Basics ====== ====== IPsec Basics ======
 +| For an overview over all existing Virtual private network (VPN)-related articles in the OpenWrt wiki, please visit [[doc/​howto/​vpn.overview]] |
  
 :!: This page is about strongswan. The old racoon documentation can be found [[vpn.ipsec.basics.racoon|here]]. :!: This page is about strongswan. The old racoon documentation can be found [[vpn.ipsec.basics.racoon|here]].
Line 282: Line 283:
 ===== Hardware performance ===== ===== Hardware performance =====
  
-In the times of broadband internet connections encryption and decryption speed of routers can limit throughput of VPN tunnels. CPU utilization ​maxes out at 100 percent and impacts other services of the device like a web server. ​If you really want to go with a self made IPsec VPN on a cheap router ​you should consider ​some facts+In the times of broadband internet connections encryption and decryption speed of SOME low-end ​routers can limit throughput of VPN tunnels. CPU utilization ​can max out at 100 percent and impacts other services of the device like a web server. ​FOR REFERENCE: Strongswan will run just FINE on a WNDR3700 (MIPS 680 Mhz, 64 Mb RAM). If your router ​is underpowered,​ here are some other options:
  
   * Older firewall devices with hardware accelerated VPN are sold for a few bucks on Ebay. Juniper Netscreen 5GT for example can easily reach a VPN throughput of 20 MBit/sec. Downside is that firmware updates are only possible with a Juniper support contract. So check twice for a bargain.   * Older firewall devices with hardware accelerated VPN are sold for a few bucks on Ebay. Juniper Netscreen 5GT for example can easily reach a VPN throughput of 20 MBit/sec. Downside is that firmware updates are only possible with a Juniper support contract. So check twice for a bargain.
Line 349: Line 350:
  
 After the basic setup you should continue with the [[vpn.ipsec.firewall|firewall modifications]]. After the basic setup you should continue with the [[vpn.ipsec.firewall|firewall modifications]].
 +
 +===== Current Issues =====
 +The latest trunk includes Strongswan 5.1.1-1. It will compile if you remove curl, but will not run due to a module loading issue. ​
 +One workaround is to configure the charon.load string in strongswan.conf,​ which explicitly loads the modules you want/need.
 +
 +Example:
 +<​code>​
 +Charon {
 +   load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown attr farp dhcp
 +....
 +</​code>​
  
 ===== Tag ===== ===== Tag =====
  
 {{tag>​crypto}} {{tag>​crypto}}
 +
  
doc/howto/vpn.ipsec.basics.1367747354.txt.bz2 · Last modified: 2013/05/05 11:49 by birnenschnitzel