search for: fast_ipsec

Hi, Just got some of the new Soekris 1401 VPN cards based on the hifn 7955 chip. hifn0 mem 0xe8510000-0xe8517fff,0xe8518000-0xe8519fff,0xe851a000-0xe851afff irq 5 at device 0.0 on pci1 hifn0: Hifn 7955, rev 0, 32KB dram, 64 sessions vs hifn0 mem 0xeb902000-0xeb902fff,0xeb901000-0xeb901fff irq 10 at device 8.0 on pci0 hifn0: Hifn 7951, rev 0, 128KB sram, 193 sessions When it says "n

When using the FAST_IPSEC option in the kernel build, the sysctl variable net.key.prefered_oldsa seems to make no difference. The kernel always chooses an old SA. This problem can be easily reproduced. Just wait till the soft limit of the SA is expired and do a setkey -F on the remote and then ping through the tunnel. Be...

...cryptographic checksum computed using one-way hash functions. II. Problem Description IPsec provides an anti-replay service which when enabled prevents an attacker from successfully executing a replay attack. This is done through the verification of sequence numbers. A programming error in the fast_ipsec(4) implementation results in the sequence number associated with a Security Association not being updated, allowing packets to unconditionally pass sequence number verification checks. III. Impact An attacker able to to intercept IPSec packets can replay them. If higher level protocols which do...

...cryptographic checksum computed using one-way hash functions. II. Problem Description IPsec provides an anti-replay service which when enabled prevents an attacker from successfully executing a replay attack. This is done through the verification of sequence numbers. A programming error in the fast_ipsec(4) implementation results in the sequence number associated with a Security Association not being updated, allowing packets to unconditionally pass sequence number verification checks. III. Impact An attacker able to to intercept IPSec packets can replay them. If higher level protocols which do...

Hello List, I have to dualcore Athlon 64 4800+ systems. Initially I was running 4.9 on both of them an was able to get 54mbits thru direct connected realtek 10/100 cards as measured by nttcp. I put stable on one of the system and now can on get 37mbits as measured by nttcp when going thru an ipsec tunnel. Eliminating the tunnel I get 94mbit/sec. Ideas as to why this is happening? Also

...ssh protocol. For example: setkey -FP setkey -F setkey -c << EOF spdadd 10.1.1.1/32 10.6.10.50[22] tcp -P in none ; spdadd 10.1.1.1/32 10.6.10.50 tcp -P in ipsec ah/transport//require ; EOF (Pass incoming ssh packets to 10.6.10.50, block other tcp packets) This works under fresh 7-CURRENT(FAST_IPSEC). On fresh 6-STABLE (neither FAST_IPSEC nor KAME IPSEC) it doesn't work, first string "spdadd 10.1.1.1/32 10.6.10.50[22] tcp -P in none" never matches. Is it bug in 6-STABLE or I missing something? Does anybody successfuly use IPSEC with tcp port matching under 6-STABLE? -- Gennady

Hello List, I know 4.9 is ancient history, but unfortunately we have several thousand sites installed. We are in the process of moving to 6.1 when it is released. Right now I have an immediate problem where we are going to install two system at a HQ site. Each of the 2 systems will have two gre/vpn/ospf tunnels to a 100 remote sites in the field. The broadband will be a T3 with failover to

Hi, I have been using IPsec to communicate between a laptop that tracks -stable and a Linksys BEFVP41 router. I only use it infrequently, but it's been working great. My setup is as described in http://grapeape.alerce.com/linksys-ipsec/article.html (which I am planning to submit to the handbook when it's done). I'm no longer able to make an ipsec connection, and I can't put my

Hi, Does FASTIPSec in FreeBSD use OCF framework ? Where can I find more documentation ? I wish to run cryptographic algorithms after setting a VPN. What command should I use to run a particular crytographic algorithm (e.g. 3DES etc.) Where can I find all such information ? -- Regards, Bubble

I have no idea whatsoever as to why racoon/IKE does not work here. I've tried various how-to documents but found nothing that works for me. Gateway (10.0.0.1) running 4.9-stable. Laptop (10.0.0.10) running 5.2.1-release. Both running racoon-20040408a On the gateway 10.0.0.1 # cat /etc/ipsec.conf add 10.0.0.1 10.0.0.10 esp 691 -E rijndael-cbc "1234567890123456" -A hmac-sha1

FYI, looks like support for Racoon is ending. Does anyone have any experience with the version in ipsec-tools ? ---Mike >Racoon users, > >This is the announcement that the kame project will quit providing >a key management daemon, the racoon, and that "ipsec-tools" will become >the formal team to release the racoon. >The final release of the racoon in the

Hello Greg, I am writing you, because I saw your responses to a couple of messages on the freebsd-security mailing list related to freebsd vpn and nat. My situations is rather unique, and I am needing an expert's eyes to glance at it and confirm whether it is doable or not. I have a simple diagram that illustrates what I am trying to do, and it is located here (about 40k):