Hi folks, I'm wondering if someone please could clarify some IPSec specific questions to me? IPSEC_FILTERGIF: What are the consequences when enabling this if one does use IPSEC (or FAST_IPSEC) w/o any GIF tunnels? Are there any or does IPSEC_FILTERGIF only influence packet flow with gif devices? NOTES says: # Set IPSEC_FILTERGIF to force packets coming through a gif tunnel # to be processed by any configured packet filtering (ipfw, ipf). # The default is that packets coming from a tunnel are _not_ processed; # they are assumed trusted. But I've found signs in the archives even while not using gif tunnels with IPSec packets are getting filtered with FILTERGIF option. I might be wrong about this. device enc: I haven't been aware of the fact that we already have such a device. There's a man page (man 4 enc) but it's not in NOTES or GENERIC. Is the enc(4) man page correct and up to date? Shouldn't there at least be a note in NOTES somewhere around the options FAST_IPSEC line with a hint for enc(4)? Is just compiling device enc into the kernel, using options FAST_IPSEC and passing (or blocking) traffic on interface enc0 using pf rules all one has to do? IPSEC / FAST_IPSEC: What is the (say) 'official' recommended option to use? Where are the differences, what are the consequences while using one or the other? Will both do the same w/o any consequences for the admin? I'm currently in the process of checking for migration to racoon2 and need to re-check every IPSec related setup. Thanks, Volker
We're looking to deploy FreeBSD on our main firewall. The firewall config is a VIA C7 (padlock), racoon(ipsec-tools-0.7), IPSec. We're testing racoon with a windows box, however the firewall doesn't function correctly when net.inet.ipsec.crypto_support=1 is set. With a net.inet.ipsec.crypto_support=0 it does. The firewall was configured with FreeBSD 6.2R and replaced with 6.3RC1 on a separate HDD (as at 2007-12-02). "Doesn't function correctly" means that after phase 1 & 2 negotiation the Windows box is able to send a ping (from WXP-SP2+) to the server. The server doesn't respond to the pings, but generates pfkey Update failed messages during racoon debugging. (wireshark was running on the PC-WXP, tcpdump on FreeBSD) The testing was performed with both ends configured for esp transport mode, 3des and md5 for encryption and hashing, and pfs (diffe-helman 2 (1024)). These two machines were connected on a stand-alone network (via crossover cables). Server kernel uses options FAST_IPSEC device cryptodev device padlock options IPFIREWALL /etc/sysctl.conf contains the following which may be relevant: net.inet.ip.fastforwarding=1 kern.cryptodevallowsoft=1 net.inet.ipsec.crypto_support=1 # this was toggled 1/0 during testing net.inet.icmp.icmplim=10 # These may be off-track? net.inet.tcp.slowstart_flightsize=4 I hope that someone can provide some guidance, as I'm looking forward to getting the performance out of these energy efficient little processors. I should note that IPSec works fine between FreeBSD boxes with net.inet.ipsec.crypto_support=1 however we have to reconfigure for high-value PC communications. I'd like to have my cake (freebsd-ipsec-padlock) and eat it too (WXP) ;) Reference: net.inet.ipsec.crypto_support values from (http://groups.google.ca/group/mailing.freebsd.stable/browse_frm/thread/f3f1 40e615d9ca62/31935038340cc323?lnk=st&q=fast_ipsec+net.inet.ipsec.crypto_supp ort&rnum=5&hl=en#31935038340cc323 ) Dewayne (Phil) Geraghty
Dewayne Geraghty wrote:> My apologies for the confusion, yes, the C7 only helps with AES. > > The configuration detail is: between branch offices I use FreeBSD ipsec > (AES), and within the branches Windows boxes access the firewall boxes. The > "firewalls" run samba inside a jail. Due to sensitive information (see your > local Privacy legislation), we also need to encrypt the information between > samba jail and the PC-WXP devices. Hence the need to use ipsec-AES on the > WAN and ipsec-3des on the LAN (as 3des is the best option selectable for > WXP). > > Regards, Dewayne. >Just out of curiosity, what happens if you set net.inet.ipsec.crypto_support = -1 when using 3DES in your testing? Does the firewall work then? -Proto