From owner-freebsd-stable@FreeBSD.ORG  Mon Dec  3 21:29:24 2007
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 1622916A46C
	for <freebsd-stable@freebsd.org>; Mon,  3 Dec 2007 21:29:24 +0000 (UTC)
	(envelope-from mike@jellydonut.org)
Received: from mail2.secureworks.net (mail2.secureworks.net [65.114.32.154])
	by mx1.freebsd.org (Postfix) with ESMTP id 05C9213C47E
	for <freebsd-stable@freebsd.org>; Mon,  3 Dec 2007 21:29:23 +0000 (UTC)
	(envelope-from mike@jellydonut.org)
Received: from localhost (localhost.secureworks.net [127.0.0.1])
	by mail2.secureworks.net (Postfix) with ESMTP id D20C856453;
	Mon,  3 Dec 2007 16:28:27 -0500 (EST)
X-Virus-Scanned: amavisd-new at secureworks.net
Received: from mail2.secureworks.net ([127.0.0.1])
	by localhost (mail2.secureworks.net [127.0.0.1]) (amavisd-new,
	port 10024)
	with ESMTP id vQo491mXBuQx; Mon,  3 Dec 2007 16:28:27 -0500 (EST)
Received: from [192.168.23.35] (mole1.secureworks.net [63.239.86.3])
	by mail2.secureworks.net (Postfix) with ESMTP id A4E9E5643A;
	Mon,  3 Dec 2007 16:28:27 -0500 (EST)
Message-ID: <47547532.3040505@jellydonut.org>
Date: Mon, 03 Dec 2007 16:29:22 -0500
From: Michael Proto <mike@jellydonut.org>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US;
	rv:1.8.1.8pre) Gecko/20071022 Thunderbird/2.0.0.6 Mnenhy/0.7.5.666
MIME-Version: 1.0
To: Dewayne Geraghty <phil@amdg.etowns.org>
References: <45B7689C.2060209@vwsoft.com>	<023801c83548$aac34320$0205000a@white>	<47541532.7010300@jellydonut.org>
	<00c401c835f1$7c6a2260$0105000a@black>
In-Reply-To: <00c401c835f1$7c6a2260$0105000a@black>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Cc: freebsd-stable@freebsd.org
Subject: Re: IPSEC + Via Padlock + racoon + Windows
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Dec 2007 21:29:24 -0000

Dewayne Geraghty wrote:
> My apologies for the confusion, yes, the C7 only helps with AES.  
> 
> The configuration detail is: between branch offices I use FreeBSD ipsec
> (AES), and within the branches Windows boxes access the firewall boxes.  The
> "firewalls" run samba inside a jail. Due to sensitive information (see your
> local Privacy legislation), we also need to encrypt the information between
> samba jail and the PC-WXP devices. Hence the need to use ipsec-AES on the
> WAN and ipsec-3des on the LAN (as 3des is the best option selectable for
> WXP). 
> 
> Regards, Dewayne.
> 


Just out of curiosity, what happens if you set
net.inet.ipsec.crypto_support = -1 when using 3DES in your testing? Does
the firewall work then?


-Proto