From owner-freebsd-stable@FreeBSD.ORG Mon Dec 3 14:39:47 2007 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DA6EC16A417 for ; Mon, 3 Dec 2007 14:39:47 +0000 (UTC) (envelope-from mike@jellydonut.org) Received: from mail2.secureworks.net (mail2.secureworks.net [65.114.32.154]) by mx1.freebsd.org (Postfix) with ESMTP id 8EE1A13C4EB for ; Mon, 3 Dec 2007 14:39:47 +0000 (UTC) (envelope-from mike@jellydonut.org) Received: from localhost (localhost.secureworks.net [127.0.0.1]) by mail2.secureworks.net (Postfix) with ESMTP id 3994B56556; Mon, 3 Dec 2007 09:38:52 -0500 (EST) X-Virus-Scanned: amavisd-new at secureworks.net Received: from mail2.secureworks.net ([127.0.0.1]) by localhost (mail2.secureworks.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ML7uwFPqvPJo; Mon, 3 Dec 2007 09:38:52 -0500 (EST) Received: from [192.168.23.35] (mole1.secureworks.net [63.239.86.3]) by mail2.secureworks.net (Postfix) with ESMTP id 086C256554; Mon, 3 Dec 2007 09:38:52 -0500 (EST) Message-ID: <47541532.7010300@jellydonut.org> Date: Mon, 03 Dec 2007 09:39:46 -0500 From: Michael Proto User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.8pre) Gecko/20071022 Thunderbird/2.0.0.6 Mnenhy/0.7.5.666 MIME-Version: 1.0 To: Dewayne Geraghty References: <45B7689C.2060209@vwsoft.com> <023801c83548$aac34320$0205000a@white> In-Reply-To: <023801c83548$aac34320$0205000a@white> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-stable@freebsd.org Subject: Re: IPSEC + Via Padlock + racoon + Windows X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Dec 2007 14:39:47 -0000 Dewayne Geraghty wrote: > We're looking to deploy FreeBSD on our main firewall. The firewall config > is a VIA C7 (padlock), racoon(ipsec-tools-0.7), IPSec. We're testing racoon > with a windows box, however the firewall doesn't function correctly when > net.inet.ipsec.crypto_support=1 is set. With a > net.inet.ipsec.crypto_support=0 it does. > > The firewall was configured with FreeBSD 6.2R and replaced with 6.3RC1 on a > separate HDD (as at 2007-12-02). > > "Doesn't function correctly" means that after phase 1 & 2 negotiation the > Windows box is able to send a ping (from WXP-SP2+) to the server. The > server doesn't respond to the pings, but generates pfkey Update failed > messages during racoon debugging. (wireshark was running on the PC-WXP, > tcpdump on FreeBSD) > > The testing was performed with both ends configured for esp transport mode, > 3des and md5 for encryption and hashing, and pfs (diffe-helman 2 (1024)). > These two machines were connected on a stand-alone network (via crossover > cables). > > Server kernel uses > options FAST_IPSEC > device cryptodev > device padlock > options IPFIREWALL > > /etc/sysctl.conf contains the following which may be relevant: > net.inet.ip.fastforwarding=1 > kern.cryptodevallowsoft=1 > net.inet.ipsec.crypto_support=1 # this was toggled 1/0 during testing > net.inet.icmp.icmplim=10 # These may be off-track? > net.inet.tcp.slowstart_flightsize=4 > > I hope that someone can provide some guidance, as I'm looking forward to > getting the performance out of these energy efficient little processors. I > should note that IPSec works fine between FreeBSD boxes with > net.inet.ipsec.crypto_support=1 however we have to reconfigure for > high-value PC communications. I'd like to have my cake > (freebsd-ipsec-padlock) and eat it too (WXP) ;) > > Reference: > net.inet.ipsec.crypto_support values from > (http://groups.google.ca/group/mailing.freebsd.stable/browse_frm/thread/f3f1 > 40e615d9ca62/31935038340cc323?lnk=st&q=fast_ipsec+net.inet.ipsec.crypto_supp > ort&rnum=5&hl=en#31935038340cc323 ) > Not that this solves your problem, but doesn't the padlock crypto engine only provide acceleration for AES symmetric encryption? From the man page: The C3 and Eden processor series from VIA include hardware acceleration for AES. The C7 series includes hardware acceleration for AES, SHA1, SHA256 and RSA. All of the above processor series include a hardware random number generator. Does using AES instead of 3DES change your situation at all? -Proto