On 6.1.2022. 16:02, Paul Wouters wrote:
On Wed, 5 Jan 2022, Mirsad Goran Todorovac wrote:
If I am allowed, I could also assert that I have been positively
surprised by the positive change in speed with IKEv2 VPN: while IKEv1
L2TP over IPSec scored about 50 Mbps download on our server, the
IKEv2 showed 138 Mbps in Ookla speedtest benchmark :) , over the
Faculty's 1 Gbps link and my 150 Mbps home connection.
That's because most likely your l2tp layer went through userland xl2tpd.
it can be configured to use kernel l2tp.ko but that usually has issues.
So yes, I'm not surprised :)
Copy that, I've seen from logs that the userland stuff was used. If I
had only L2TP I would try to enable l2tp.ko, but now that IKEv2 runs at
shiny new 250/214 Mbps, I don't think that there really is a point.
BTW, I tried this:
https://support.microsoft.com/en-us/topic/microsoft-security-advisory-updated-support-for-diffie-hellman-key-exchange-f0ad89ce-dcd5-56e2-9cee-4cbb01b4da1e
to remedy the modp1024 DH problem and it didn't work :(
Only this made the conn :
https://wiki.strongswan.org/projects/strongswan/wiki/WindowsClients#AES-256-CBC-and-MODP2048
Perhaps that should be more visible in the manuals at libreswan.org?
I've had difficulties finding it when I was in our accounting. I've been
testing IKEv2 over the holidays and I am rather happy with the way it
works. Nice job!
Probably I could get away without reading the RFCs about IKEv2 IETF
standard, but it was sort of worthwhile, now I actually seem to know
what these options mean, it is so much better to do the homework :)
BTW, my version of Windows 10 still appears to downgrade DH to modp1024
on key renegotiation, so the ms-dh-downgrade=yes hack was necessary. I
hope they fix this bug.
I seem to have updated to 20H2 but not to Windows 11:
Mirsad
--
Mirsad Todorovac
CARNet system engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb
Republic of Croatia, the European Union
--
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
