Displaying 12 results from an estimated 12 matches for "fast_ipsec".
2004 Jan 16
1
HiFn / FAST_IPSEC question
Hi,
Just got some of the new Soekris 1401 VPN cards based on the hifn 7955 chip.
hifn0 mem 0xe8510000-0xe8517fff,0xe8518000-0xe8519fff,0xe851a000-0xe851afff
irq 5 at device 0.0 on pci1
hifn0: Hifn 7955, rev 0, 32KB dram, 64 sessions
vs
hifn0 mem 0xeb902000-0xeb902fff,0xeb901000-0xeb901fff irq 10 at device 8.0
on pci0
hifn0: Hifn 7951, rev 0, 128KB sram, 193 sessions
When it says "n
2003 Sep 11
2
FAST_IPSEC doesn't seem to honor net.key.prefered_oldsa=0
When using the FAST_IPSEC option in the kernel build, the sysctl
variable net.key.prefered_oldsa seems to make no difference. The
kernel always chooses an old SA. This problem can be easily
reproduced. Just wait till the soft limit of the SA is expired and do
a setkey -F on the remote and then ping through the tunnel. Be...
2006 Mar 22
1
FreeBSD Security Advisory FreeBSD-SA-06:11.ipsec
...cryptographic checksum computed using one-way hash functions.
II. Problem Description
IPsec provides an anti-replay service which when enabled prevents an attacker
from successfully executing a replay attack. This is done through the
verification of sequence numbers. A programming error in the fast_ipsec(4)
implementation results in the sequence number associated with a Security
Association not being updated, allowing packets to unconditionally pass
sequence number verification checks.
III. Impact
An attacker able to to intercept IPSec packets can replay them. If higher
level protocols which do...
2006 Mar 22
1
FreeBSD Security Advisory FreeBSD-SA-06:11.ipsec
...cryptographic checksum computed using one-way hash functions.
II. Problem Description
IPsec provides an anti-replay service which when enabled prevents an attacker
from successfully executing a replay attack. This is done through the
verification of sequence numbers. A programming error in the fast_ipsec(4)
implementation results in the sequence number associated with a Security
Association not being updated, allowing packets to unconditionally pass
sequence number verification checks.
III. Impact
An attacker able to to intercept IPSec packets can replay them. If higher
level protocols which do...
2006 Apr 25
3
Freebsd Stable 6.x ipsec slower than with 4.9
Hello List,
I have to dualcore Athlon 64 4800+ systems. Initially I was running 4.9
on both of them an was able to get 54mbits thru direct connected realtek
10/100 cards as measured by nttcp.
I put stable on one of the system and now can on get 37mbits as measured
by nttcp when going thru an ipsec tunnel.
Eliminating the tunnel I get 94mbit/sec.
Ideas as to why this is happening?
Also
2006 May 26
0
IPSEC - tcp port match
...ssh protocol. For example:
setkey -FP
setkey -F
setkey -c << EOF
spdadd 10.1.1.1/32 10.6.10.50[22] tcp -P in none ;
spdadd 10.1.1.1/32 10.6.10.50 tcp -P in ipsec ah/transport//require ;
EOF
(Pass incoming ssh packets to 10.6.10.50, block other tcp packets)
This works under fresh 7-CURRENT(FAST_IPSEC). On fresh 6-STABLE (neither
FAST_IPSEC nor KAME IPSEC) it doesn't work, first string
"spdadd 10.1.1.1/32 10.6.10.50[22] tcp -P in none" never matches.
Is it bug in 6-STABLE or I missing something?
Does anybody successfuly use IPSEC with tcp port matching under 6-STABLE?
--
Gennady
2006 Apr 18
3
FreeBSD 4.9 losing mbufs!!!
Hello List,
I know 4.9 is ancient history, but unfortunately we have several
thousand sites installed. We are in the process of moving to 6.1 when it
is released.
Right now I have an immediate problem where we are going to install two
system at a
HQ site. Each of the 2 systems will have two gre/vpn/ospf tunnels to a
100 remote sites in the
field. The broadband will be a T3 with failover to
2004 Jan 13
3
IPSEC btwn stable and Linksys BEFVP41 stopped working.
Hi,
I have been using IPsec to communicate between a laptop that tracks
-stable and a Linksys BEFVP41 router.
I only use it infrequently, but it's been working great. My setup is
as described in http://grapeape.alerce.com/linksys-ipsec/article.html
(which I am planning to submit to the handbook when it's done).
I'm no longer able to make an ipsec connection, and I can't put my
2007 Oct 05
2
FastIPSec and OCF
Hi,
Does FASTIPSec in FreeBSD use OCF framework ? Where can I find more
documentation ?
I wish to run cryptographic algorithms after setting a VPN. What command
should I use to run a particular crytographic algorithm (e.g. 3DES etc.)
Where can I find all such information ?
--
Regards,
Bubble
2004 Apr 27
2
IPsec works, but racoon/IKE does not
I have no idea whatsoever as to why racoon/IKE does not work here.
I've tried various how-to documents but found nothing that works for
me.
Gateway (10.0.0.1) running 4.9-stable.
Laptop (10.0.0.10) running 5.2.1-release.
Both running racoon-20040408a
On the gateway 10.0.0.1
# cat /etc/ipsec.conf
add 10.0.0.1 10.0.0.10 esp 691 -E rijndael-cbc "1234567890123456" -A
hmac-sha1
2005 Apr 21
1
Fwd: (KAME-snap 9012) racoon in the kame project
FYI, looks like support for Racoon is ending. Does anyone have any
experience with the version in ipsec-tools ?
---Mike
>Racoon users,
>
>This is the announcement that the kame project will quit providing
>a key management daemon, the racoon, and that "ipsec-tools" will become
>the formal team to release the racoon.
>The final release of the racoon in the
2007 Mar 07
1
freebsd vpn server behind nat dsl router
Hello Greg,
I am writing you, because I saw your responses to a couple of messages on
the freebsd-security mailing list related to freebsd vpn and nat.
My situations is rather unique, and I am needing an expert's eyes to
glance at it and confirm whether it is doable or not. I have a simple
diagram that illustrates what I am trying to do, and it is located here
(about 40k):