|
||||||||||
Here's yet another release that probably makes dreams come true for some people: mobile user IPsec VPN (a.k.a. IPsec VPN with clients with dynamic IP addresses) is now supported by m0n0wall! It's even possible to set up an IPsec VPN server that has a dynamic WAN IP address and then use a DynDNS hostname with the clients. See the tutorial at http://m0n0.ch/wall/docs/node/view/38 for more information on how to use it in conjunction with SafeNet SoftRemoteLT. SSH Sentinel has been tested, too. There's also a new diagnostic page where you can view and delete IPsec security associations and policies. What's more - thanks to a kernel patch (I swapped the processing order of ipfw and ipfilter for outgoing packets), traffic shaper rules can now be applied to the WAN interface, which should make things like prioritizing easier (especially for people with optional interfaces!). Quite a few changes to critical components (including the filter rule generator) had to be made for this release (read the change log for details), so once more, remember to backup your configuration and have the image of the previous version ready in case things go wrong. The sheer number of different possible configurations makes it unfeasible for me to try them all. People with exotic setups are of course more likely to experience problems. Just to satisfy my curiosity, I ran some throughput tests with mobile user IPsec VPN on a WRAP.1B board. Here are the results: PC Engines WRAP.1B, SC1100 233 MHz, IPsec tunnel, iperf TCP performance ----------------------------------------------------------------------- no crypto accelerator: 3DES-SHA1 3 Mbps 3DES-MD5 3.5 Mbps AES128-MD5 7 Mbps AES256-MD5 6.3 Mbps Soekris Engineering vpn1211 crypto accelerator: 3DES-SHA1 9.2 Mbps 3DES-MD5 10.2 Mbps The HiFn 7951 chip doesn't support AES, so AES throughput with the accelerator was of course the same. Here's the full change log: - mobile IPsec VPN clients (i.e. with a dynamic IP address) are now supported. They have to share a common policy (P1/P2 proposal), but may use different pre-shared keys (with domain names or e-mail addresses as the identifier in aggressive mode). - new diagnostics page to view and delete entries in the IPsec SAD and SPD - traffic shaper rules can now be applied to the WAN interface (kernel patch) - added <shellcmd> tag to <system> section which can be used to run arbitrary shell commands after the initial boot setup completes - modified exec.php to always show the last command in the input field - added exec_raw.php to execute a command and return the output in text/plain format without any HTML formatting (use like http://m0n0wall-ip/exec_raw.php?cmd=... - command needs to be URL-encoded of course) - filter rule generator has been modified: outgoing packets that do not yet have a state table entry are now always allowed to pass and create a state; this implies that the firewall itself can now access any host on all networks that are attached to it. This change was necessary to allow IPsec traffic from mobile users out and to remove a very ugly rule that had been put in place to allow decrypted IPsec traffic in on WAN without being able to verify that it had indeed come from an IPsec tunnel (there's no way of verifying that in an ipfilter rule) - added a note about not being able to access NATed services using the WAN IP address from within LAN or optional networks to the inbound NAT page - removed IPSEC_FILTERGIF from kernel config to correspond with the changes in the filter rule generator - if you have a custom kernel and use IPsec, rebuild it without that option! - reversed processing order of ipfilter and ipfw in ip_output.c to make things symmetric with ip_input.c (ipfw needs to see outgoing packets before ipnat) - upgraded racoon to 20030826a Have fun! - Manuel |