On Thu, Jan 08, 2015 at 12:08:30PM +0100, Eric Feliksik wrote:
> I am looking to connect edge-routers in a VPN over the Internet, with
> requirement:
> - Mesh
> - NAT-traversing
> - 500 mbit throughput.
>
> I'm using Tinc 1.0.23 and it does this very nicely (I think I could
also
> use 1.1, once it's considered stable) except for the througphut: the
> edgerouters cannot encrypt this fast. So I want to relieve the edge routers
> from this responsibility.
>
> If the end hosts can encrypt their point-to-point communication with ipsec
> (but the mesh vpn and nat-T is done by tinc), what would be the
> consequences of using tinc with "Cipher = none"? What
ipsec-wrapping
> headers (from tinc, I assume) would be exposed, and is this a bad idea,
> security wise?
IPsec is designed to run over the open Internet, so there is no harm in
setting Cipher = none in this case. You could also try seting Digest none as
well. Of course, how you set up keys for IPsec is also
important; make sure that is also done in a secure way.
If you use the new protocol in tinc 1.1, it will use the ChaCha-Poly1305
authenticated cipher. Even though only a C implementation of it without any
assembler optimizations is used, it is a very fast cipher. You can try
to run the "sptps_speed" command from 1.1pre11 on your edge router and
see how fast they can theoretically go.
--
Met vriendelijke groet / with kind regards,
Guus Sliepen <guus at tinc-vpn.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL:
<http://www.tinc-vpn.org/pipermail/tinc/attachments/20150113/ddae4579/attachment-0001.sig>