Quote from: fadern on December 19, 2023, 02:02:59 PM
Hi,
I'm trying to migrate my current Ipsec S2S connection (Tunnel Settings) to the new "Connections" but I'm not sure which algorithms etc to select.
What's wrong with the current ones ?
Quote
Could any of you help me choose a secure and fast algorithms?
How fast a specific algorithm performs really depends on the hardware used (and specific cipher selection), that's something you have to benchmark on your platform.
Quote
My current settings are
Phase 1
Encryption algorithm: 256 bit AES-GCM with 128 bit ICV
Hash algorithm: SHA512
DH key group: 21 (NIST EC 521)
Phase 2
Protocol: ESP
Encryption algorithms: aes256gcm16
Hash algorithms: none
PFS: 21 (NIST EC 521 bits)
AES-GCM is the algorithm to choose, but 128bit is faster than 256bit, do you need the extra bits ?
ECC encryption uses smaller key sizes but shouldn't be automatically "faster" than RSA, but preferred anyway.
Do you trust the NIST curves ? You might want to choose ed25119 or ed448
https://zisc.ethz.ch/wp-content/uploads/2020/11/ed25519-SP.pdf
Quote
(I ended up with these after some reading but I'm not sure that they are perfect...)
To improve is to change; to be perfect is to change often. ― Winston Churchill