<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>On 6.1.2022. 16:02, Paul Wouters wrote:<br>
</p>
<blockquote type="cite"
cite="mid:aa8eb83-6139-fcbd-2e3d-ba122574eeb8@nohats.ca">On Wed, 5
Jan 2022, Mirsad Goran Todorovac wrote:
<br>
<br>
<blockquote type="cite">If I am allowed, I could also assert that
I have been positively surprised by the positive change in speed
with IKEv2 VPN: while IKEv1 L2TP over IPSec scored about 50 Mbps
download on our server, the IKEv2 showed 138 Mbps in Ookla
speedtest benchmark :) , over the Faculty's 1 Gbps link and my
150 Mbps home connection.
<br>
</blockquote>
<br>
That's because most likely your l2tp layer went through userland
xl2tpd.
<br>
it can be configured to use kernel l2tp.ko but that usually has
issues.
<br>
So yes, I'm not surprised :)
<br>
</blockquote>
<p>Copy that, I've seen from logs that the userland stuff was used.
If I had only L2TP I would try to enable l2tp.ko, but now that
IKEv2 runs at shiny new 250/214 Mbps, I don't think that there
really is a point.</p>
<p>BTW, I tried this:
<a class="moz-txt-link-freetext" href="https://support.microsoft.com/en-us/topic/microsoft-security-advisory-updated-support-for-diffie-hellman-key-exchange-f0ad89ce-dcd5-56e2-9cee-4cbb01b4da1e">https://support.microsoft.com/en-us/topic/microsoft-security-advisory-updated-support-for-diffie-hellman-key-exchange-f0ad89ce-dcd5-56e2-9cee-4cbb01b4da1e</a>
to remedy the modp1024 DH problem and it didn't work :(</p>
<p>Only this made the conn :
<a class="moz-txt-link-freetext" href="https://wiki.strongswan.org/projects/strongswan/wiki/WindowsClients#AES-256-CBC-and-MODP2048">https://wiki.strongswan.org/projects/strongswan/wiki/WindowsClients#AES-256-CBC-and-MODP2048</a></p>
<p>Perhaps that should be more visible in the manuals at
libreswan.org? I've had difficulties finding it when I was in our
accounting. I've been testing IKEv2 over the holidays and I am
rather happy with the way it works. Nice job!<br>
Probably I could get away without reading the RFCs about IKEv2
IETF standard, but it was sort of worthwhile, now I actually seem
to know what these options mean, it is so much better to do the
homework :)</p>
<p>BTW, my version of Windows 10 still appears to downgrade DH to
modp1024 on key renegotiation, so the ms-dh-downgrade=yes hack was
necessary. I hope they fix this bug.</p>
<p>I seem to have updated to 20H2 but not to Windows 11:</p>
<p><img src="cid:part1.tm7xp6lb.cKC3Mkuz@alu.unizg.hr" alt=""></p>
<p>Mirsad<br>
</p>
<p>-- </p>
<pre class="moz-signature" cols="72">Mirsad Todorovac
CARNet system engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb
Republic of Croatia, the European Union
--
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu</pre>
</body>
</html>