IPSEC + Via Padlock + racoon + Windows
Dewayne Geraghty
phil at amdg.etowns.org
Sun Dec 2 22:58:15 PST 2007
We're looking to deploy FreeBSD on our main firewall. The firewall config
is a VIA C7 (padlock), racoon(ipsec-tools-0.7), IPSec. We're testing racoon
with a windows box, however the firewall doesn't function correctly when
net.inet.ipsec.crypto_support=1 is set. With a
net.inet.ipsec.crypto_support=0 it does.
The firewall was configured with FreeBSD 6.2R and replaced with 6.3RC1 on a
separate HDD (as at 2007-12-02).
"Doesn't function correctly" means that after phase 1 & 2 negotiation the
Windows box is able to send a ping (from WXP-SP2+) to the server. The
server doesn't respond to the pings, but generates pfkey Update failed
messages during racoon debugging. (wireshark was running on the PC-WXP,
tcpdump on FreeBSD)
The testing was performed with both ends configured for esp transport mode,
3des and md5 for encryption and hashing, and pfs (diffe-helman 2 (1024)).
These two machines were connected on a stand-alone network (via crossover
cables).
Server kernel uses
options FAST_IPSEC
device cryptodev
device padlock
options IPFIREWALL
/etc/sysctl.conf contains the following which may be relevant:
net.inet.ip.fastforwarding=1
kern.cryptodevallowsoft=1
net.inet.ipsec.crypto_support=1 # this was toggled 1/0 during testing
net.inet.icmp.icmplim=10 # These may be off-track?
net.inet.tcp.slowstart_flightsize=4
I hope that someone can provide some guidance, as I'm looking forward to
getting the performance out of these energy efficient little processors. I
should note that IPSec works fine between FreeBSD boxes with
net.inet.ipsec.crypto_support=1 however we have to reconfigure for
high-value PC communications. I'd like to have my cake
(freebsd-ipsec-padlock) and eat it too (WXP) ;)
Reference:
net.inet.ipsec.crypto_support values from
(http://groups.google.ca/group/mailing.freebsd.stable/browse_frm/thread/f3f1
40e615d9ca62/31935038340cc323?lnk=st&q=fast_ipsec+net.inet.ipsec.crypto_supp
ort&rnum=5&hl=en#31935038340cc323 )
Dewayne (Phil) Geraghty
More information about the freebsd-stable
mailing list