Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 3 Dec 2007 12:05:59 +1100
From:      "Dewayne Geraghty" <phil@amdg.etowns.org>
To:        <freebsd-stable@freebsd.org>
Subject:   IPSEC + Via Padlock + racoon + Windows 
Message-ID:  <023801c83548$aac34320$0205000a@white>
In-Reply-To: <45B7689C.2060209@vwsoft.com>
References:  <45B7689C.2060209@vwsoft.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
We're looking to deploy FreeBSD on our main firewall.  The firewall config
is a VIA C7 (padlock), racoon(ipsec-tools-0.7), IPSec.  We're testing racoon
with a windows box, however the firewall doesn't function correctly when
net.inet.ipsec.crypto_support=1 is set.  With a
net.inet.ipsec.crypto_support=0 it does.  

The firewall was configured with FreeBSD 6.2R and replaced with 6.3RC1 on a
separate HDD (as at 2007-12-02).

"Doesn't function correctly" means that after phase 1 & 2 negotiation the
Windows box is able to send a ping (from WXP-SP2+) to the server.  The
server doesn't respond to the pings, but generates pfkey Update failed
messages during racoon debugging.  (wireshark was running on the PC-WXP,
tcpdump on FreeBSD)

The testing was performed with both ends configured for esp transport mode,
3des and md5 for encryption and hashing, and pfs (diffe-helman 2 (1024)).
These two machines were connected on a stand-alone network (via crossover
cables).

Server kernel uses
options         FAST_IPSEC
device          cryptodev
device          padlock
options         IPFIREWALL

/etc/sysctl.conf contains the following which may be relevant:
net.inet.ip.fastforwarding=1  
kern.cryptodevallowsoft=1
net.inet.ipsec.crypto_support=1    # this was toggled 1/0 during testing
net.inet.icmp.icmplim=10           # These may be off-track?
net.inet.tcp.slowstart_flightsize=4  

I hope that someone can provide some guidance, as I'm looking forward to
getting the performance out of these energy efficient little processors.  I
should note that IPSec works fine between FreeBSD boxes with
net.inet.ipsec.crypto_support=1 however we have to reconfigure for
high-value PC communications.  I'd like to have my cake
(freebsd-ipsec-padlock) and eat it too (WXP) ;)

Reference: 
net.inet.ipsec.crypto_support values from
(http://groups.google.ca/group/mailing.freebsd.stable/browse_frm/thread/f3f1
40e615d9ca62/31935038340cc323?lnk=st&q=fast_ipsec+net.inet.ipsec.crypto_supp
ort&rnum=5&hl=en#31935038340cc323 )

Dewayne (Phil) Geraghty

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?023801c83548$aac34320$0205000a>