IPSEC documentation
VANHULLEBUS Yvan
vanhu_bsd at zeninc.net
Thu Dec 29 04:38:22 PST 2005
On Thu, Dec 29, 2005 at 12:25:49PM +0000, Brian Candler wrote:
> On Thu, Dec 29, 2005 at 09:50:47AM +0300, Alexey Popov wrote:
> > If we would also have NAT-T support, FreeBSD would be the best choice
> > of VPN concentrator.
>
> /usr/ports/security/ipsec-tools/pkg-descr says:
>
> "Known issues:
> - Non-threaded implementation. Simultaneous key negotiation performance
> should be improved."
>
> I think that would limit its usefulness as a scalable concentrator, if the
> comment is still valid.
The comment is still valid, but impact is not so strong.
Key negociations doesn't happen so much during an IPSec tunnel
lifetime, and negociating simultaneous SAs will be slow even with a
multi-threaded implementation if you have a low-end CPU.
And if you have a high-end CPU, SAs will be negociated quickly, then
the impact of negociating simultaneous SAs will be limited.
Yvan.
--
NETASQ - Secure Internet Connectivity
http://www.netasq.com
More information about the freebsd-net
mailing list