[ previous ] [ next ] [ threads ]
 
 From:  Michael DeMan <michael at staff dot openaccess dot org>
 To:  Manuel Kasper <mk at neon1 dot net>, <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] pb9 released - IPsec VPN tunnels!
 Date:  Sat, 17 May 2003 13:23:59 -0700
Manuel,

How did you handle integrating IPSec with NAT?

We've had to use NATD on the 'inside' interface for this to work, are you
using NATD or IPNAT?

I looked at modifying the BSD kernel to switch the ordering on when IPNAT
and IPSEC process packets to get it working correctly.

- Mike

 5/17/03 11:43 AM, "Manuel Kasper" <mk at neon1 dot net> wrote:

> Hi folks,
> 
> m0n0wall pb9 has been released and finally supports IPsec VPN tunnels
> (ESP/AH)!
> 
> The IPsec support is based on FreeBSD's FAST_IPSEC, and as such the
> hifn-based hardware crypto accelerators (such as the Soekris vpn1211) are
> supported (automatically used when detected; check the system status
> page).
> 
> Here are a few performance figures (ESP):
> 
> net4511 with vpn1211 crypto accelerator:
> 
> 3DES/MD5                  5.6  Mbps
> 3DES/SHA1                 5.55 Mbps
> Blowfish/MD5              3.2  Mbps
> 
> net4511 bare:
> 
> 3DES/MD5                  1.66 Mbps
> 3DES/SHA1                 1.25 Mbps
> Blowfish/MD5              3.4  Mbps
> 
> This is consistent with my earlier measurement of about 8 Mbps 3DES/MD5
> throughput with the accelerator (we have the huge ipfilter overhead in
> m0n0wall that accounts for the difference). Expect slightly higher numbers
> on net4501 or net4521 (133 vs. 100 MHz).
> 
> Observations:
> 
> - MD5 is a tad faster than SHA1 in software encryption
> 
> - it seems like doing MD5 in software is even faster than handing the data
> to the crypto chip (look at the Blowfish figure - the crypto card doesn't
> do Blowfish, so it's only the MD5 that could have made a difference).
> 
> Lesson: use 3DES if you have a crypto accelerator or want to be compatible
> with commercial firewall gear, and Blowfish (or maybe CAST128 or Rijndael)
> if you don't.
> 
> Things are currently hardwired for the common LAN <--(WAN)--> LAN
> scenario, i.e. site-to-site VPN (though it should work in a remote user
> VPN setup, too). m0n0wall always assumes that the tunnel is between the
> network on the LAN interface and some other network via WAN. No special
> filter rules have to be added. IKE is always used (with racoon).
> 
> I haven't had a chance to test it against other implementations (i.e.
> commercial firewalls) yet; m0n0wall <-> m0n0wall VPNs should definitely
> work, and from earlier experiments with racoon I know that it works with
> WatchGuard Fireboxes, too (though I didn't manage to get it to work with a
> ZyWALL 100, for example - seems to be a problem with racoon).
> 
> Other changes:
> 
> - MAC address spoofing on WAN now supported
> - fix for PPTP VPN RADIUS server support
> - swapping code disabled in kernel (NO_SWAPPING)
> 
> I decided to put off the time(zone) and shell access changes in favor of
> IPsec, which has been pending for a long time.
> 
> Despite the fact that there are so many features left to be implemented,
> the next thing I want to tackle is getting m0n0wall to work cleanly on any
> standard PC with a CD-ROM that contains the system and a floppy disk for
> the configuration. Not depending on a particular platform could IMHO
> increase the number of potential users drastically.
> 
> Note that the net45xx images now have a suffix of .img (instead of
> .bin.gz) - this is to get rid of the dumb Windows IE (and possibly others)
> bug for good. If you want to upgrade a pre-pb8 system via the web
> interface/FTP, rename the file to end in .bin.gz. BTW, physdiskwrite 0.2
> can decompress the image on-the-fly, so no need to gunzip on Windows.
> 
> Furthermore, there are now three download mirrors in total (2 in USA, 1 in
> Switzerland).
> 
> That's all...
> 
> Bye,
> 
> Manuel
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> 
> 

Michael F. DeMan
Director of Technology
OpenAccess Internet Services
1305 11th St., 3rd Floor
Bellingham, WA 98225
Tel 360-647-0785 x204
Fax 360-738-9785
michael at staff dot openaccess dot org