Here's yet another release that probably makes dreams come true for some
people: mobile user IPsec VPN (a.k.a. IPsec VPN with clients with
dynamic IP addresses) is now supported by m0n0wall! It's even possible
to set up an IPsec VPN server that has a dynamic WAN IP address and then
use a DynDNS hostname with the clients. See the tutorial at
http://m0n0.ch/wall/docs/node/view/38
for more information on how to use it in conjunction with SafeNet
SoftRemoteLT. SSH Sentinel has been tested, too. There's also a new
diagnostic page where you can view and delete IPsec security
associations and policies.
What's more - thanks to a kernel patch (I swapped the processing order
of ipfw and ipfilter for outgoing packets), traffic shaper rules can now
be applied to the WAN interface, which should make things like
prioritizing easier (especially for people with optional interfaces!).
Quite a few changes to critical components (including the filter rule
generator) had to be made for this release (read the change log for
details), so once more, remember to backup your configuration and have
the image of the previous version ready in case things go wrong. The
sheer number of different possible configurations makes it unfeasible
for me to try them all. People with exotic setups are of course more
likely to experience problems.
Just to satisfy my curiosity, I ran some throughput tests with mobile
user IPsec VPN on a WRAP.1B board. Here are the results:
PC Engines WRAP.1B, SC1100 233 MHz, IPsec tunnel, iperf TCP performance
-----------------------------------------------------------------------
no crypto accelerator:
3DES-SHA1 3 Mbps
3DES-MD5 3.5 Mbps
AES128-MD5 7 Mbps
AES256-MD5 6.3 Mbps
Soekris Engineering vpn1211 crypto accelerator:
3DES-SHA1 9.2 Mbps
3DES-MD5 10.2 Mbps
The HiFn 7951 chip doesn't support AES, so AES throughput with the
accelerator was of course the same.
Here's the full change log:
- mobile IPsec VPN clients (i.e. with a dynamic IP address) are now
supported. They have to share a common policy (P1/P2 proposal), but may
use different pre-shared keys (with domain names or e-mail addresses as
the identifier in aggressive mode).
- new diagnostics page to view and delete entries in the IPsec SAD and SPD
- traffic shaper rules can now be applied to the WAN interface (kernel
patch)
- added <shellcmd> tag to <system> section which can be used to run
arbitrary shell commands after the initial boot setup completes
- modified exec.php to always show the last command in the input field
- added exec_raw.php to execute a command and return the output in
text/plain format without any HTML formatting (use like
http://m0n0wall-ip/exec_raw.php?cmd=... - command needs to be
URL-encoded of course)
- filter rule generator has been modified: outgoing packets that do not
yet have a state table entry are now always allowed to pass and create a
state; this implies that the firewall itself can now access any host on
all networks that are attached to it. This change was necessary to allow
IPsec traffic from mobile users out and to remove a very ugly rule that
had been put in place to allow decrypted IPsec traffic in on WAN without
being able to verify that it had indeed come from an IPsec tunnel
(there's no way of verifying that in an ipfilter rule)
- added a note about not being able to access NATed services using the
WAN IP address from within LAN or optional networks to the inbound NAT page
- removed IPSEC_FILTERGIF from kernel config to correspond with the
changes in the filter rule generator - if you have a custom kernel and
use IPsec, rebuild it without that option!
- reversed processing order of ipfilter and ipfw in ip_output.c to make
things symmetric with ip_input.c (ipfw needs to see outgoing packets
before ipnat)
- upgraded racoon to 20030826a
Have fun!
- Manuel | 