m0n0wall pb9 has been released and finally supports IPsec VPN tunnels
The IPsec support is based on FreeBSD's FAST_IPSEC, and as such the
hifn-based hardware crypto accelerators (such as the Soekris vpn1211) are
supported (automatically used when detected; check the system status
Here are a few performance figures (ESP):
net4511 with vpn1211 crypto accelerator:
3DES/MD5 5.6 Mbps
3DES/SHA1 5.55 Mbps
Blowfish/MD5 3.2 Mbps
3DES/MD5 1.66 Mbps
3DES/SHA1 1.25 Mbps
Blowfish/MD5 3.4 Mbps
This is consistent with my earlier measurement of about 8 Mbps 3DES/MD5
throughput with the accelerator (we have the huge ipfilter overhead in
m0n0wall that accounts for the difference). Expect slightly higher numbers
on net4501 or net4521 (133 vs. 100 MHz).
- MD5 is a tad faster than SHA1 in software encryption
- it seems like doing MD5 in software is even faster than handing the data
to the crypto chip (look at the Blowfish figure - the crypto card doesn't
do Blowfish, so it's only the MD5 that could have made a difference).
Lesson: use 3DES if you have a crypto accelerator or want to be compatible
with commercial firewall gear, and Blowfish (or maybe CAST128 or Rijndael)
if you don't.
Things are currently hardwired for the common LAN <--(WAN)--> LAN
scenario, i.e. site-to-site VPN (though it should work in a remote user
VPN setup, too). m0n0wall always assumes that the tunnel is between the
network on the LAN interface and some other network via WAN. No special
filter rules have to be added. IKE is always used (with racoon).
I haven't had a chance to test it against other implementations (i.e.
commercial firewalls) yet; m0n0wall <-> m0n0wall VPNs should definitely
work, and from earlier experiments with racoon I know that it works with
WatchGuard Fireboxes, too (though I didn't manage to get it to work with a
ZyWALL 100, for example - seems to be a problem with racoon).
- MAC address spoofing on WAN now supported
- fix for PPTP VPN RADIUS server support
- swapping code disabled in kernel (NO_SWAPPING)
I decided to put off the time(zone) and shell access changes in favor of
IPsec, which has been pending for a long time.
Despite the fact that there are so many features left to be implemented,
the next thing I want to tackle is getting m0n0wall to work cleanly on any
standard PC with a CD-ROM that contains the system and a floppy disk for
the configuration. Not depending on a particular platform could IMHO
increase the number of potential users drastically.
Note that the net45xx images now have a suffix of .img (instead of
.bin.gz) - this is to get rid of the dumb Windows IE (and possibly others)
bug for good. If you want to upgrade a pre-pb8 system via the web
interface/FTP, rename the file to end in .bin.gz. BTW, physdiskwrite 0.2
can decompress the image on-the-fly, so no need to gunzip on Windows.
Furthermore, there are now three download mirrors in total (2 in USA, 1 in