How did you handle integrating IPSec with NAT?
We've had to use NATD on the 'inside' interface for this to work, are you
using NATD or IPNAT?
I looked at modifying the BSD kernel to switch the ordering on when IPNAT
and IPSEC process packets to get it working correctly.
5/17/03 11:43 AM, "Manuel Kasper" <mk at neon1 dot net> wrote:
> Hi folks,
> m0n0wall pb9 has been released and finally supports IPsec VPN tunnels
> The IPsec support is based on FreeBSD's FAST_IPSEC, and as such the
> hifn-based hardware crypto accelerators (such as the Soekris vpn1211) are
> supported (automatically used when detected; check the system status
> Here are a few performance figures (ESP):
> net4511 with vpn1211 crypto accelerator:
> 3DES/MD5 5.6 Mbps
> 3DES/SHA1 5.55 Mbps
> Blowfish/MD5 3.2 Mbps
> net4511 bare:
> 3DES/MD5 1.66 Mbps
> 3DES/SHA1 1.25 Mbps
> Blowfish/MD5 3.4 Mbps
> This is consistent with my earlier measurement of about 8 Mbps 3DES/MD5
> throughput with the accelerator (we have the huge ipfilter overhead in
> m0n0wall that accounts for the difference). Expect slightly higher numbers
> on net4501 or net4521 (133 vs. 100 MHz).
> - MD5 is a tad faster than SHA1 in software encryption
> - it seems like doing MD5 in software is even faster than handing the data
> to the crypto chip (look at the Blowfish figure - the crypto card doesn't
> do Blowfish, so it's only the MD5 that could have made a difference).
> Lesson: use 3DES if you have a crypto accelerator or want to be compatible
> with commercial firewall gear, and Blowfish (or maybe CAST128 or Rijndael)
> if you don't.
> Things are currently hardwired for the common LAN <--(WAN)--> LAN
> scenario, i.e. site-to-site VPN (though it should work in a remote user
> VPN setup, too). m0n0wall always assumes that the tunnel is between the
> network on the LAN interface and some other network via WAN. No special
> filter rules have to be added. IKE is always used (with racoon).
> I haven't had a chance to test it against other implementations (i.e.
> commercial firewalls) yet; m0n0wall <-> m0n0wall VPNs should definitely
> work, and from earlier experiments with racoon I know that it works with
> WatchGuard Fireboxes, too (though I didn't manage to get it to work with a
> ZyWALL 100, for example - seems to be a problem with racoon).
> Other changes:
> - MAC address spoofing on WAN now supported
> - fix for PPTP VPN RADIUS server support
> - swapping code disabled in kernel (NO_SWAPPING)
> I decided to put off the time(zone) and shell access changes in favor of
> IPsec, which has been pending for a long time.
> Despite the fact that there are so many features left to be implemented,
> the next thing I want to tackle is getting m0n0wall to work cleanly on any
> standard PC with a CD-ROM that contains the system and a floppy disk for
> the configuration. Not depending on a particular platform could IMHO
> increase the number of potential users drastically.
> Note that the net45xx images now have a suffix of .img (instead of
> .bin.gz) - this is to get rid of the dumb Windows IE (and possibly others)
> bug for good. If you want to upgrade a pre-pb8 system via the web
> interface/FTP, rename the file to end in .bin.gz. BTW, physdiskwrite 0.2
> can decompress the image on-the-fly, so no need to gunzip on Windows.
> Furthermore, there are now three download mirrors in total (2 in USA, 1 in
> That's all...
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
Michael F. DeMan
Director of Technology
OpenAccess Internet Services
1305 11th St., 3rd Floor
Bellingham, WA 98225
Tel 360-647-0785 x204
michael at staff dot openaccess dot org