From owner-freebsd-stable@FreeBSD.ORG Mon Dec 3 06:58:15 2007 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 71F8616A420 for ; Mon, 3 Dec 2007 06:58:15 +0000 (UTC) (envelope-from phil@amdg.etowns.org) Received: from qsrv01sl.mx.bigpond.com (qsrv01sl.mx.bigpond.com [144.140.92.181]) by mx1.freebsd.org (Postfix) with ESMTP id 159A913C43E for ; Mon, 3 Dec 2007 06:58:14 +0000 (UTC) (envelope-from phil@amdg.etowns.org) Received: from oaamta07sl.mx.bigpond.com ([58.172.113.127]) by omta01sl.mx.bigpond.com with ESMTP id <20071203010801.PVBQ9168.omta01sl.mx.bigpond.com@oaamta07sl.mx.bigpond.com> for ; Mon, 3 Dec 2007 01:08:01 +0000 Received: from heuristicsystems.com.au ([58.172.113.127]) by oaamta07sl.mx.bigpond.com with ESMTP id <20071203010800.RFJJ11533.oaamta07sl.mx.bigpond.com@heuristicsystems.com.au> for ; Mon, 3 Dec 2007 01:08:00 +0000 Received: from white (white.hs [10.0.5.2]) (authenticated bits=0) by heuristicsystems.com.au (8.13.6/8.13.6) with ESMTP id lB318wND029659 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO) for ; Mon, 3 Dec 2007 12:08:59 +1100 (EST) (envelope-from phil@amdg.etowns.org) From: "Dewayne Geraghty" To: References: <45B7689C.2060209@vwsoft.com> Date: Mon, 3 Dec 2007 12:05:59 +1100 Message-ID: <023801c83548$aac34320$0205000a@white> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198 In-Reply-To: <45B7689C.2060209@vwsoft.com> Thread-Index: Acc/zJ6Y4oc2bwwYRIycrWVFaZIHuT1dbSzQ Subject: IPSEC + Via Padlock + racoon + Windows X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Dec 2007 06:58:15 -0000 We're looking to deploy FreeBSD on our main firewall. The firewall config is a VIA C7 (padlock), racoon(ipsec-tools-0.7), IPSec. We're testing racoon with a windows box, however the firewall doesn't function correctly when net.inet.ipsec.crypto_support=1 is set. With a net.inet.ipsec.crypto_support=0 it does. The firewall was configured with FreeBSD 6.2R and replaced with 6.3RC1 on a separate HDD (as at 2007-12-02). "Doesn't function correctly" means that after phase 1 & 2 negotiation the Windows box is able to send a ping (from WXP-SP2+) to the server. The server doesn't respond to the pings, but generates pfkey Update failed messages during racoon debugging. (wireshark was running on the PC-WXP, tcpdump on FreeBSD) The testing was performed with both ends configured for esp transport mode, 3des and md5 for encryption and hashing, and pfs (diffe-helman 2 (1024)). These two machines were connected on a stand-alone network (via crossover cables). Server kernel uses options FAST_IPSEC device cryptodev device padlock options IPFIREWALL /etc/sysctl.conf contains the following which may be relevant: net.inet.ip.fastforwarding=1 kern.cryptodevallowsoft=1 net.inet.ipsec.crypto_support=1 # this was toggled 1/0 during testing net.inet.icmp.icmplim=10 # These may be off-track? net.inet.tcp.slowstart_flightsize=4 I hope that someone can provide some guidance, as I'm looking forward to getting the performance out of these energy efficient little processors. I should note that IPSec works fine between FreeBSD boxes with net.inet.ipsec.crypto_support=1 however we have to reconfigure for high-value PC communications. I'd like to have my cake (freebsd-ipsec-padlock) and eat it too (WXP) ;) Reference: net.inet.ipsec.crypto_support values from (http://groups.google.ca/group/mailing.freebsd.stable/browse_frm/thread/f3f1 40e615d9ca62/31935038340cc323?lnk=st&q=fast_ipsec+net.inet.ipsec.crypto_supp ort&rnum=5&hl=en#31935038340cc323 ) Dewayne (Phil) Geraghty