From owner-freebsd-amd64@FreeBSD.ORG  Mon Sep 12 11:35:25 2005
Return-Path: <owner-freebsd-amd64@FreeBSD.ORG>
X-Original-To: freebsd-amd64@FreeBSD.org
Delivered-To: freebsd-amd64@FreeBSD.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id EEBC616A41F
	for <freebsd-amd64@FreeBSD.org>; Mon, 12 Sep 2005 11:35:24 +0000 (GMT)
	(envelope-from mv@roq.com)
Received: from p4.roq.com (ns1.ecoms.com [207.44.130.137])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 99F0443D46
	for <freebsd-amd64@FreeBSD.org>; Mon, 12 Sep 2005 11:35:24 +0000 (GMT)
	(envelope-from mv@roq.com)
Received: from p4.roq.com (localhost.roq.com [127.0.0.1])
	by p4.roq.com (Postfix) with ESMTP id 76A1B4CD32;
	Mon, 12 Sep 2005 11:35:53 +0000 (GMT)
Received: from [10.0.1.8] (ppp157-158.static.internode.on.net
	[150.101.157.158])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by p4.roq.com (Postfix) with ESMTP id 2ACDA4CD31;
	Mon, 12 Sep 2005 11:35:51 +0000 (GMT)
Message-ID: <432567EF.2060800@roq.com>
Date: Mon, 12 Sep 2005 21:35:11 +1000
From: Michael VInce <mv@roq.com>
User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US;
	rv:1.7.11) Gecko/20050907
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>
References: <4324E06A.4090400@roq.com>
	<20050912054858.GA28647@xor.obsecurity.org>
	<Pine.BSF.4.53.0509120718260.46635@e0-0.zab2.int.zabbadoz.net>
In-Reply-To: <Pine.BSF.4.53.0509120718260.46635@e0-0.zab2.int.zabbadoz.net>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: ClamAV using ClamSMTP
Cc: freebsd-amd64@FreeBSD.org, Kris Kennaway <kris@obsecurity.org>
Subject: Re: FAST_IPSEC on EMT64 / AMD64
X-BeenThere: freebsd-amd64@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Porting FreeBSD to the AMD64 platform <freebsd-amd64.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-amd64>,
	<mailto:freebsd-amd64-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-amd64>
List-Post: <mailto:freebsd-amd64@freebsd.org>
List-Help: <mailto:freebsd-amd64-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-amd64>,
	<mailto:freebsd-amd64-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Sep 2005 11:35:25 -0000

Bjoern A. Zeeb wrote:

>On Mon, 12 Sep 2005, Kris Kennaway wrote:
>
>  
>
>>On Mon, Sep 12, 2005 at 11:56:58AM +1000, Michael VInce wrote:
>>    
>>
>>>Hi guys,
>>>I am getting a Intel Xeon based EMT64 server as a gateway that may in
>>>the future do some VPN,
>>>I wondered if the EMT64 servers could run FAST_IPSEC under AMD64 FreeBSD.
>>>With these options below compiled into the kernel I was able to boot
>>>FreeBSD with no panics if I booted into single user mode and then just
>>>did 'exit'  to go back to regular boot, otherwise it would panic as if
>>>it was an AMD64 CPU.
>>>      
>>>
>>You forgot to include details of the panic.
>>    
>>
>
>That would be really good to know.
>
>Then we'd finally know more than was given in
>http://www.freebsd.org/cgi/query-pr.cgi?pr=amd64/73211
>  
>

Sorry instead of getting a core dump I grabbed a FreeBSD AMD64 beta4 6.0 
ISO and put it on this server.
But I do have some good news in what I found.
Recompiled FAST_IPSEC into the kernel and rebooted it, it came up fine..
So then put in some ipsec security policies into /etc/ipsec.conf
ipsec_enable="YES"
and ran /etc/rc.d/ipsec start
and it ran fine.
I then installed ipsec-tools and loaded up the racoon daemon this also 
triggers a panic on my FreeBSD AMD64 6.0 laptop with out FAST_IPSEC 
being compiled into the kernel and its loaded up fine.
This looks all completely solid. I haven't been able to panic the server 
with a full VPN configuration activated.
The only thing I haven't done is tested if the IPSEC VPN actually can work.

This is no mistake this is AMD64 kernel FreeBSD with FAST_IPSEC I just 
cheated using the Intel EMT64

Regards,
Mike

beast# /sbin/sysctl -a | grep ipsec
  ipsecpolicy    16     4K       -      520  256
 ipsecrequest     2     1K       -        4  256
    ipsec-reg     3     1K       -       24  32
net.inet.ipsec.def_policy: 1
net.inet.ipsec.esp_trans_deflev: 1
net.inet.ipsec.esp_net_deflev: 1
net.inet.ipsec.ah_trans_deflev: 1
net.inet.ipsec.ah_net_deflev: 1
net.inet.ipsec.ah_cleartos: 1
net.inet.ipsec.ah_offsetmask: 0
net.inet.ipsec.dfbit: 0
net.inet.ipsec.ecn: 0
net.inet.ipsec.debug: 0
net.inet.ipsec.esp_randpad: -1
net.inet.ipsec.crypto_support: 0
net.inet6.ipsec6.def_policy: 1
net.inet6.ipsec6.esp_trans_deflev: 1
net.inet6.ipsec6.esp_net_deflev: 1
net.inet6.ipsec6.ah_trans_deflev: 1
net.inet6.ipsec6.ah_net_deflev: 1
net.inet6.ipsec6.ecn: 0
net.inet6.ipsec6.debug: 0
net.inet6.ipsec6.esp_randpad: -1
beast# uname -a
FreeBSD beast 6.0-BETA4 FreeBSD 6.0-BETA4 #0: Mon Sep 12 20:40:05 UTC 
2005     root@beast:/usr/obj/usr/src/sys/GENERIC_IPSEC  amd64