[ previous ] [ next ] [ threads ]
 From:  Richard Morrell <dick at dickmorrell dot com>
 To:  Manuel Kasper <mk at neon1 dot net>
 Cc:  m0n0wall dash announce at lists dot m0n0 dot ch, m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] pb25 released
 Date:  Sun, 18 Jan 2004 08:39:24 +0000 (GMT)
I cannot tell you how vitally important this release is.

When I started supporting remote road warriors in SmoothTunnel with 
SafeNet I sold over $400,000 of SmoothTunnel in two months. Performance 
wise M0n0wall beats SmoothWall Corporate Server and SmoothTunnel into a 
cocked hat.

Thank you Manuel - Your UK fast mirror is alive Tuesday and I am also 
writing an article on M0n0wall for Linux Magazine this week.


On Sat, 17 Jan 2004, Manuel Kasper wrote:

> Here's yet another release that probably makes dreams come true for some 
> people: mobile user IPsec VPN (a.k.a. IPsec VPN with clients with 
> dynamic IP addresses) is now supported by m0n0wall! It's even possible 
> to set up an IPsec VPN server that has a dynamic WAN IP address and then 
> use a DynDNS hostname with the clients. See the tutorial at
> http://m0n0.ch/wall/docs/node/view/38
> for more information on how to use it in conjunction with SafeNet 
> SoftRemoteLT. SSH Sentinel has been tested, too. There's also a new 
> diagnostic page where you can view and delete IPsec security 
> associations and policies.
> What's more - thanks to a kernel patch (I swapped the processing order 
> of ipfw and ipfilter for outgoing packets), traffic shaper rules can now 
> be applied to the WAN interface, which should make things like 
> prioritizing easier (especially for people with optional interfaces!).
> Quite a few changes to critical components (including the filter rule 
> generator) had to be made for this release (read the change log for 
> details), so once more, remember to backup your configuration and have 
> the image of the previous version ready in case things go wrong. The 
> sheer number of different possible configurations makes it unfeasible 
> for me to try them all. People with exotic setups are of course more 
> likely to experience problems.
> Just to satisfy my curiosity, I ran some throughput tests with mobile 
> user IPsec VPN on a WRAP.1B board. Here are the results:
> PC Engines WRAP.1B, SC1100 233 MHz, IPsec tunnel, iperf TCP performance
> -----------------------------------------------------------------------
> no crypto accelerator:
>     3DES-SHA1                  3   Mbps
>     3DES-MD5                   3.5 Mbps
>     AES128-MD5                 7   Mbps
>     AES256-MD5                 6.3 Mbps
> Soekris Engineering vpn1211 crypto accelerator:
>     3DES-SHA1                  9.2 Mbps
>     3DES-MD5                  10.2 Mbps
> The HiFn 7951 chip doesn't support AES, so AES throughput with the 
> accelerator was of course the same.
> Here's the full change log:
> - mobile IPsec VPN clients (i.e. with a dynamic IP address) are now 
> supported. They have to share a common policy (P1/P2 proposal), but may 
> use different pre-shared keys (with domain names or e-mail addresses as 
> the identifier in aggressive mode).
> - new diagnostics page to view and delete entries in the IPsec SAD and SPD
> - traffic shaper rules can now be applied to the WAN interface (kernel 
> patch)
> - added <shellcmd> tag to <system> section which can be used to run 
> arbitrary shell commands after the initial boot setup completes
> - modified exec.php to always show the last command in the input field
> - added exec_raw.php to execute a command and return the output in 
> text/plain format without any HTML formatting (use like 
> http://m0n0wall-ip/exec_raw.php?cmd=... - command needs to be 
> URL-encoded of course)
> - filter rule generator has been modified: outgoing packets that do not 
> yet have a state table entry are now always allowed to pass and create a 
> state; this implies that the firewall itself can now access any host on 
> all networks that are attached to it. This change was necessary to allow 
> IPsec traffic from mobile users out and to remove a very ugly rule that 
> had been put in place to allow decrypted IPsec traffic in on WAN without 
> being able to verify that it had indeed come from an IPsec tunnel 
> (there's no way of verifying that in an ipfilter rule)
> - added a note about not being able to access NATed services using the 
> WAN IP address from within LAN or optional networks to the inbound NAT page
> - removed IPSEC_FILTERGIF from kernel config to correspond with the 
> changes in the filter rule generator - if you have a custom kernel and 
> use IPsec, rebuild it without that option!
> - reversed processing order of ipfilter and ipfw in ip_output.c to make 
> things symmetric with ip_input.c (ipfw needs to see outgoing packets 
> before ipnat)
> - upgraded racoon to 20030826a
> Have fun!
> - Manuel
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch