[Openswan dev] Using OpenSSL for encryption/decryption

Paul Wouters paul at xelerance.com
Fri Jun 4 11:12:50 EDT 2010

On Fri, 4 Jun 2010, Masashi Honma wrote:

> I am planning to use hardware acceleration for encryption/decryption on
> Openswan. I found OCF-Linux could be used. But I will not use it,
> because it needs to be patched to Linux kernel.
> The OpenSSL has hardware acceleration system (so called "engine"). As
> far as I know, Openswan uses OpenSSL for not encryption/decryption but
> certificates and hashes. So I will implement encryption/decryption with
> OpenSSL. Is there any restriction of using OpenSSL ?

You realise the real gain is at the IPsec (kernel) level, not at the IKE (userland)

If your system is so loaded that you need userland acceleration, you are
already buckling under the kernel crypto load. Some acceleration code
might actually cause a decreased performance because of the overhead of
sending and receiving it from the acceleration layer.

What is the ratio of IPsec vs IKE packets on your systems? Are you going to
accelerate the DH too? Or just the 3des/aes md5/sha1? Are you going to do
proper testing of the accelerated version?

Note that openswan is moving towards using NSS for crypto in its userland,
not openssl, due to certification and licensing. You have a chance of
getting your changes accepted in our code if you use NSS, less if you use


More information about the Dev mailing list