IPSEC + Via Padlock + racoon + Windows

Michael Proto mike at jellydonut.org
Mon Dec 3 06:39:47 PST 2007

Dewayne Geraghty wrote:
> We're looking to deploy FreeBSD on our main firewall.  The firewall config
> is a VIA C7 (padlock), racoon(ipsec-tools-0.7), IPSec.  We're testing racoon
> with a windows box, however the firewall doesn't function correctly when
> net.inet.ipsec.crypto_support=1 is set.  With a
> net.inet.ipsec.crypto_support=0 it does.  
> The firewall was configured with FreeBSD 6.2R and replaced with 6.3RC1 on a
> separate HDD (as at 2007-12-02).
> "Doesn't function correctly" means that after phase 1 & 2 negotiation the
> Windows box is able to send a ping (from WXP-SP2+) to the server.  The
> server doesn't respond to the pings, but generates pfkey Update failed
> messages during racoon debugging.  (wireshark was running on the PC-WXP,
> tcpdump on FreeBSD)
> The testing was performed with both ends configured for esp transport mode,
> 3des and md5 for encryption and hashing, and pfs (diffe-helman 2 (1024)).
> These two machines were connected on a stand-alone network (via crossover
> cables).
> Server kernel uses
> options         FAST_IPSEC
> device          cryptodev
> device          padlock
> options         IPFIREWALL
> /etc/sysctl.conf contains the following which may be relevant:
> net.inet.ip.fastforwarding=1  
> kern.cryptodevallowsoft=1
> net.inet.ipsec.crypto_support=1    # this was toggled 1/0 during testing
> net.inet.icmp.icmplim=10           # These may be off-track?
> net.inet.tcp.slowstart_flightsize=4  
> I hope that someone can provide some guidance, as I'm looking forward to
> getting the performance out of these energy efficient little processors.  I
> should note that IPSec works fine between FreeBSD boxes with
> net.inet.ipsec.crypto_support=1 however we have to reconfigure for
> high-value PC communications.  I'd like to have my cake
> (freebsd-ipsec-padlock) and eat it too (WXP) ;)
> Reference: 
> net.inet.ipsec.crypto_support values from
> (http://groups.google.ca/group/mailing.freebsd.stable/browse_frm/thread/f3f1
> 40e615d9ca62/31935038340cc323?lnk=st&q=fast_ipsec+net.inet.ipsec.crypto_supp
> ort&rnum=5&hl=en#31935038340cc323 )

Not that this solves your problem, but doesn't the padlock crypto engine
only provide acceleration for AES symmetric encryption? From the man page:

     The C3 and Eden processor series from VIA include hardware acceleration
     for AES.  The C7 series includes hardware acceleration for AES, SHA1,
     SHA256 and RSA.  All of the above processor series include a hardware
     random number generator.

Does using AES instead of 3DES change your situation at all?


More information about the freebsd-stable mailing list