[ previous ] [ next ] [ threads ]
 From:  "Chris Buechler" <cbuechler at gmail dot com>
 Cc:  "Monowall User List" <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] 1.3b9 | Blowfish or 3DES IPSEC vpn
 Date:  Tue, 12 Feb 2008 17:30:50 -0500
On Feb 12, 2008 4:36 PM, Michel Servaes <michel at mcmc dot be> wrote:
> I have this strong impression that when I use 3DES on the monowall, that
> my VPN connection times out every day... I can reactivate the tunnel by
> disabling IPSEC completely, and reactivating it in my monowall.
> I am using a PentiumIII 600MHz / 384MB RAM (RAM overkill seems).
> (Compaq Deskpro EP)
> The other side is currently a DLINK DFL-200  (it's at my office, and I
> am planning on installing a monowall as well - that machine will be a
> Pentium4 - 1,6GHz (Compaq Deskpro EVO))
> This morning I changed the tunnel on both sides to Blowfish, and for now
> it seems ok...

Connection dropping and not reestablishing is unlikely to be resolved
by changing the encryption unless the other end has some sort of 3DES

> btw: what is the limit of IPSEC tunnels to be made... I guess this will
> be machine specific, but what are your expectations on my Pentium
> III-600MHz, and on the Pentium4-1,6GHz ??

At about 100 sites, racoon on FreeBSD will start to fall apart at stop
working completely. A fix for this is being tested in pfSense and
seems to work, and there are FreeBSD developers looking to merge those
changes into FreeBSD, so that might not be the case for much longer.

The other limitation is throughput, a 600 MHz should be able to do
10-15 Mb of anything but 3DES (it's far slower than the other