OpenVPN recommended Data Encryption Algorithms when using SG-2100 appliance's crypto engine?

JonathanLee

@jimp Quick Question I am learning that you should not enable both IPsec-MB and SafeXel at the same time, is this true? If so should I open a redmine so that it will not allow the GUI to enable both?

Per @kprovost "JonathanLee I mean, you can't use both at the same time. The data's only ever going to be processed by one of them. I'd have to go dig deep in the code to tell you how the selection is made if both are enabled, but it looks like in this case it ends up using IIMB.

IIMB is fine, but probably not quite as fast as SafeXcel. You're getting crypto acceleration either way, just in a different way."

Leading to if @kprovost has a bug fixe for crypto-graphic code set that OpenVPN uses and it looks like it was merged. So I am confused at this point.

Can we or can't we use both of them?

This was the bug fix he worked on. So I assume he is a reputable source to state you can't use both with OpenVPN.

This was the buffer bug fix
https://sourceforge.net/p/openvpn/mailman/message/58728397/
https://github.com/OpenVPN/openvpn/issues/487

Does anyone have clarity with what occurs when both are enabled?
When the GUI has both IP-sec and SafeXel marked active

kprovost

@JonathanLee Either one will work. Things will even work if you have both activated, but then only one of them will do the work. We're not going to be splitting the cryptographic work between the two, or doing it twice just so both will get used.

JonathanLee

@kprovost The speed difference is substantial with only having one enabled so much so I would say this would need a Redmine to only allow one to be selected at a time. Anyone else agree?