Re: IPSEC + Via Padlock + racoon + Windows

Dewayne Geraghty wrote:
We're looking to deploy FreeBSD on our main firewall. The firewall config
is a VIA C7 (padlock), racoon(ipsec-tools-0.7), IPSec. We're testing racoon
with a windows box, however the firewall doesn't function correctly when
net.inet.ipsec.crypto_support=1 is set. With a
net.inet.ipsec.crypto_support=0 it does.

The firewall was configured with FreeBSD 6.2R and replaced with 6.3RC1 on a
separate HDD (as at 2007-12-02).

"Doesn't function correctly" means that after phase 1 & 2 negotiation the
Windows box is able to send a ping (from WXP-SP2+) to the server. The
server doesn't respond to the pings, but generates pfkey Update failed
messages during racoon debugging. (wireshark was running on the PC-WXP,
tcpdump on FreeBSD)

The testing was performed with both ends configured for esp transport mode,
3des and md5 for encryption and hashing, and pfs (diffe-helman 2 (1024)).
These two machines were connected on a stand-alone network (via crossover
cables).

Server kernel uses
options FAST_IPSEC
device cryptodev
device padlock
options IPFIREWALL

/etc/sysctl.conf contains the following which may be relevant:
net.inet.ip.fastforwarding=1
kern.cryptodevallowsoft=1
net.inet.ipsec.crypto_support=1 # this was toggled 1/0 during testing
net.inet.icmp.icmplim=10 # These may be off-track?
net.inet.tcp.slowstart_flightsize=4

I hope that someone can provide some guidance, as I'm looking forward to
getting the performance out of these energy efficient little processors. I
should note that IPSec works fine between FreeBSD boxes with
net.inet.ipsec.crypto_support=1 however we have to reconfigure for
high-value PC communications. I'd like to have my cake
(freebsd-ipsec-padlock) and eat it too (WXP) ;)

Reference:
net.inet.ipsec.crypto_support values from
(http://groups.google.ca/group/mailing.freebsd.stable/browse_frm/thread/f3f1
40e615d9ca62/31935038340cc323?lnk=st&q=fast_ipsec+net.inet.ipsec.crypto_supp
ort&rnum=5&hl=en#31935038340cc323 )



Not that this solves your problem, but doesn't the padlock crypto engine
only provide acceleration for AES symmetric encryption? From the man page:

The C3 and Eden processor series from VIA include hardware acceleration
for AES. The C7 series includes hardware acceleration for AES, SHA1,
SHA256 and RSA. All of the above processor series include a hardware
random number generator.

Does using AES instead of 3DES change your situation at all?


-Proto
_______________________________________________
freebsd-stable@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Re: name all the uses for samba
    ... > I'm trying to tell him all the things that Samba will do, ... > freebsd, but we've still got a couple of domain servers to get rid of and I ... Get a firewall installed, get it ... Windows systems, their cost is obviously not a barrier to use. ...
    (freebsd-questions)
  • IPSEC + Via Padlock + racoon + Windows
    ... We're looking to deploy FreeBSD on our main firewall. ... The firewall config ... Windows box is able to send a ping to the server. ...
    (freebsd-stable)
  • Re: Network Printing Woes
    ... I believe you when you say it's on the windows side, ... it was the FreeBSD command line that I can print from. ... check the Advanced tab of the network ... > connection properties to see if the firewall is enabled. ...
    (comp.unix.bsd.freebsd.misc)
  • Re: Network Printing Woes
    ... "Personal firewall" software on Windows? ... Can you telnet to the FreeBSD lpr port from Windows? ...
    (comp.unix.bsd.freebsd.misc)
  • Re: What do you dislike about OSX?
    ... is is when you claim that OS X is derivative of FreeBSD. ... about *other people* not needing to have all windows visible at all times. ... Most end users don't even know the bug exists. ... offer reasons for me to change my mind. ...
    (comp.sys.mac.advocacy)