Date: Mon, 03 Dec 2007 09:39:46 -0500 From: Michael Proto <mike@jellydonut.org> To: Dewayne Geraghty <phil@amdg.etowns.org> Cc: freebsd-stable@freebsd.org Subject: Re: IPSEC + Via Padlock + racoon + Windows Message-ID: <47541532.7010300@jellydonut.org> In-Reply-To: <023801c83548$aac34320$0205000a@white> References: <45B7689C.2060209@vwsoft.com> <023801c83548$aac34320$0205000a@white>
next in thread | previous in thread | raw e-mail | index | archive | help
Dewayne Geraghty wrote: > We're looking to deploy FreeBSD on our main firewall. The firewall config > is a VIA C7 (padlock), racoon(ipsec-tools-0.7), IPSec. We're testing racoon > with a windows box, however the firewall doesn't function correctly when > net.inet.ipsec.crypto_support=1 is set. With a > net.inet.ipsec.crypto_support=0 it does. > > The firewall was configured with FreeBSD 6.2R and replaced with 6.3RC1 on a > separate HDD (as at 2007-12-02). > > "Doesn't function correctly" means that after phase 1 & 2 negotiation the > Windows box is able to send a ping (from WXP-SP2+) to the server. The > server doesn't respond to the pings, but generates pfkey Update failed > messages during racoon debugging. (wireshark was running on the PC-WXP, > tcpdump on FreeBSD) > > The testing was performed with both ends configured for esp transport mode, > 3des and md5 for encryption and hashing, and pfs (diffe-helman 2 (1024)). > These two machines were connected on a stand-alone network (via crossover > cables). > > Server kernel uses > options FAST_IPSEC > device cryptodev > device padlock > options IPFIREWALL > > /etc/sysctl.conf contains the following which may be relevant: > net.inet.ip.fastforwarding=1 > kern.cryptodevallowsoft=1 > net.inet.ipsec.crypto_support=1 # this was toggled 1/0 during testing > net.inet.icmp.icmplim=10 # These may be off-track? > net.inet.tcp.slowstart_flightsize=4 > > I hope that someone can provide some guidance, as I'm looking forward to > getting the performance out of these energy efficient little processors. I > should note that IPSec works fine between FreeBSD boxes with > net.inet.ipsec.crypto_support=1 however we have to reconfigure for > high-value PC communications. I'd like to have my cake > (freebsd-ipsec-padlock) and eat it too (WXP) ;) > > Reference: > net.inet.ipsec.crypto_support values from > (http://groups.google.ca/group/mailing.freebsd.stable/browse_frm/thread/f3f1 > 40e615d9ca62/31935038340cc323?lnk=st&q=fast_ipsec+net.inet.ipsec.crypto_supp > ort&rnum=5&hl=en#31935038340cc323 ) > Not that this solves your problem, but doesn't the padlock crypto engine only provide acceleration for AES symmetric encryption? From the man page: The C3 and Eden processor series from VIA include hardware acceleration for AES. The C7 series includes hardware acceleration for AES, SHA1, SHA256 and RSA. All of the above processor series include a hardware random number generator. Does using AES instead of 3DES change your situation at all? -Proto
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?47541532.7010300>