[ previous ] [ next ] [ threads ]
 
 From:  Manuel Kasper <mk at neon1 dot net>
 To:  m0n0wall dash announce at lists dot m0n0 dot ch
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  pb25 released
 Date:  Sat, 17 Jan 2004 22:48:27 +0100
Here's yet another release that probably makes dreams come true for some 
people: mobile user IPsec VPN (a.k.a. IPsec VPN with clients with 
dynamic IP addresses) is now supported by m0n0wall! It's even possible 
to set up an IPsec VPN server that has a dynamic WAN IP address and then 
use a DynDNS hostname with the clients. See the tutorial at

http://m0n0.ch/wall/docs/node/view/38

for more information on how to use it in conjunction with SafeNet 
SoftRemoteLT. SSH Sentinel has been tested, too. There's also a new 
diagnostic page where you can view and delete IPsec security 
associations and policies.

What's more - thanks to a kernel patch (I swapped the processing order 
of ipfw and ipfilter for outgoing packets), traffic shaper rules can now 
be applied to the WAN interface, which should make things like 
prioritizing easier (especially for people with optional interfaces!).

Quite a few changes to critical components (including the filter rule 
generator) had to be made for this release (read the change log for 
details), so once more, remember to backup your configuration and have 
the image of the previous version ready in case things go wrong. The 
sheer number of different possible configurations makes it unfeasible 
for me to try them all. People with exotic setups are of course more 
likely to experience problems.

Just to satisfy my curiosity, I ran some throughput tests with mobile 
user IPsec VPN on a WRAP.1B board. Here are the results:

PC Engines WRAP.1B, SC1100 233 MHz, IPsec tunnel, iperf TCP performance
-----------------------------------------------------------------------
no crypto accelerator:
    3DES-SHA1                  3   Mbps
    3DES-MD5                   3.5 Mbps
    AES128-MD5                 7   Mbps
    AES256-MD5                 6.3 Mbps

Soekris Engineering vpn1211 crypto accelerator:
    3DES-SHA1                  9.2 Mbps
    3DES-MD5                  10.2 Mbps

The HiFn 7951 chip doesn't support AES, so AES throughput with the 
accelerator was of course the same.

Here's the full change log:

- mobile IPsec VPN clients (i.e. with a dynamic IP address) are now 
supported. They have to share a common policy (P1/P2 proposal), but may 
use different pre-shared keys (with domain names or e-mail addresses as 
the identifier in aggressive mode).

- new diagnostics page to view and delete entries in the IPsec SAD and SPD

- traffic shaper rules can now be applied to the WAN interface (kernel 
patch)

- added <shellcmd> tag to <system> section which can be used to run 
arbitrary shell commands after the initial boot setup completes

- modified exec.php to always show the last command in the input field

- added exec_raw.php to execute a command and return the output in 
text/plain format without any HTML formatting (use like 
http://m0n0wall-ip/exec_raw.php?cmd=... - command needs to be 
URL-encoded of course)

- filter rule generator has been modified: outgoing packets that do not 
yet have a state table entry are now always allowed to pass and create a 
state; this implies that the firewall itself can now access any host on 
all networks that are attached to it. This change was necessary to allow 
IPsec traffic from mobile users out and to remove a very ugly rule that 
had been put in place to allow decrypted IPsec traffic in on WAN without 
being able to verify that it had indeed come from an IPsec tunnel 
(there's no way of verifying that in an ipfilter rule)

- added a note about not being able to access NATed services using the 
WAN IP address from within LAN or optional networks to the inbound NAT page

- removed IPSEC_FILTERGIF from kernel config to correspond with the 
changes in the filter rule generator - if you have a custom kernel and 
use IPsec, rebuild it without that option!

- reversed processing order of ipfilter and ipfw in ip_output.c to make 
things symmetric with ip_input.c (ipfw needs to see outgoing packets 
before ipnat)

- upgraded racoon to 20030826a

Have fun!

- Manuel