[ previous ] [ next ] [ threads ]
 
 From:  Christiaens Joachim <jchristi at oce dot be>
 To:  "'Manuel Kasper'" <mk at neon1 dot net>, m0n0wall at lists dot m0n0 dot ch
 Subject:  RE: [m0n0wall] pb9 released - IPsec VPN tunnels!
 Date:  Sun, 18 May 2003 21:48:10 +0200
You are the best! No words.

Offer a belgian mirror (on future site www.initec.be/m0n0wall etc)? How does
that work? Will it contribute?

Regards,
Joachim

-----Original Message-----
From: Manuel Kasper [mailto:mk at neon1 dot net]
Sent: zaterdag 17 mei 2003 20:44
To: m0n0wall at lists dot m0n0 dot ch
Subject: [m0n0wall] pb9 released - IPsec VPN tunnels!


Hi folks,

m0n0wall pb9 has been released and finally supports IPsec VPN tunnels
(ESP/AH)!

The IPsec support is based on FreeBSD's FAST_IPSEC, and as such the
hifn-based hardware crypto accelerators (such as the Soekris vpn1211) are
supported (automatically used when detected; check the system status
page).

Here are a few performance figures (ESP):

net4511 with vpn1211 crypto accelerator:

3DES/MD5                  5.6  Mbps
3DES/SHA1                 5.55 Mbps
Blowfish/MD5              3.2  Mbps

net4511 bare:

3DES/MD5                  1.66 Mbps
3DES/SHA1                 1.25 Mbps
Blowfish/MD5              3.4  Mbps

This is consistent with my earlier measurement of about 8 Mbps 3DES/MD5
throughput with the accelerator (we have the huge ipfilter overhead in
m0n0wall that accounts for the difference). Expect slightly higher numbers
on net4501 or net4521 (133 vs. 100 MHz).

Observations:

- MD5 is a tad faster than SHA1 in software encryption

- it seems like doing MD5 in software is even faster than handing the data
to the crypto chip (look at the Blowfish figure - the crypto card doesn't
do Blowfish, so it's only the MD5 that could have made a difference).

Lesson: use 3DES if you have a crypto accelerator or want to be compatible
with commercial firewall gear, and Blowfish (or maybe CAST128 or Rijndael)
if you don't.

Things are currently hardwired for the common LAN <--(WAN)--> LAN
scenario, i.e. site-to-site VPN (though it should work in a remote user
VPN setup, too). m0n0wall always assumes that the tunnel is between the
network on the LAN interface and some other network via WAN. No special
filter rules have to be added. IKE is always used (with racoon).

I haven't had a chance to test it against other implementations (i.e.
commercial firewalls) yet; m0n0wall <-> m0n0wall VPNs should definitely
work, and from earlier experiments with racoon I know that it works with
WatchGuard Fireboxes, too (though I didn't manage to get it to work with a
ZyWALL 100, for example - seems to be a problem with racoon).

Other changes:

- MAC address spoofing on WAN now supported
- fix for PPTP VPN RADIUS server support
- swapping code disabled in kernel (NO_SWAPPING)

I decided to put off the time(zone) and shell access changes in favor of
IPsec, which has been pending for a long time.

Despite the fact that there are so many features left to be implemented,
the next thing I want to tackle is getting m0n0wall to work cleanly on any
standard PC with a CD-ROM that contains the system and a floppy disk for
the configuration. Not depending on a particular platform could IMHO
increase the number of potential users drastically.

Note that the net45xx images now have a suffix of .img (instead of
.bin.gz) - this is to get rid of the dumb Windows IE (and possibly others)
bug for good. If you want to upgrade a pre-pb8 system via the web
interface/FTP, rename the file to end in .bin.gz. BTW, physdiskwrite 0.2
can decompress the image on-the-fly, so no need to gunzip on Windows.

Furthermore, there are now three download mirrors in total (2 in USA, 1 in
Switzerland).

That's all...

Bye,

Manuel

---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch


-----------------------------------------------
MISSION STATEMENT 
-----------------------------------------------

effectively by offering innovative print and document management products
and services for professional environments.

-----------------------------------------------
DISCLAIMER 
-----------------------------------------------
This e-mail message and any attachment are intended for the sole use of the
recipient(s) named above and may contain information which is confidential
and/or protected by intellectual property rights.
Any use of the information contained herein (including, but not limited to,
total or partial reproduction, communication or distribution in any form) by
other persons than the designated recipient(s) is prohibited.

If you have received this e-mail in error, please notify the sender either
by telephone (0032-2-729.48.11) or by e-mail and delete the material from
any computer.
Oce-Belgium/Oce-Interservices is nor responsible for the correct and
complete transfer of the contents of the sent e-mail, neither for the
receipt on due time.  This e-mail message does not bring about a contractual
obligation for Oce-Belgium/Oce-Interservices.

Thank you for your cooperation.

For further information about Oce-Belgium/Oce-Interservices please see our
website at www.oce.be

-----------------------------------------------