Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 12 Sep 2005 21:35:11 +1000
From:      Michael VInce <mv@roq.com>
To:        "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>
Cc:        freebsd-amd64@FreeBSD.org, Kris Kennaway <kris@obsecurity.org>
Subject:   Re: FAST_IPSEC on EMT64 / AMD64
Message-ID:  <432567EF.2060800@roq.com>
In-Reply-To: <Pine.BSF.4.53.0509120718260.46635@e0-0.zab2.int.zabbadoz.net>
References:  <4324E06A.4090400@roq.com> <20050912054858.GA28647@xor.obsecurity.org> <Pine.BSF.4.53.0509120718260.46635@e0-0.zab2.int.zabbadoz.net>

next in thread | previous in thread | raw e-mail | index | archive | help
Bjoern A. Zeeb wrote:

>On Mon, 12 Sep 2005, Kris Kennaway wrote:
>
>  
>
>>On Mon, Sep 12, 2005 at 11:56:58AM +1000, Michael VInce wrote:
>>    
>>
>>>Hi guys,
>>>I am getting a Intel Xeon based EMT64 server as a gateway that may in
>>>the future do some VPN,
>>>I wondered if the EMT64 servers could run FAST_IPSEC under AMD64 FreeBSD.
>>>With these options below compiled into the kernel I was able to boot
>>>FreeBSD with no panics if I booted into single user mode and then just
>>>did 'exit'  to go back to regular boot, otherwise it would panic as if
>>>it was an AMD64 CPU.
>>>      
>>>
>>You forgot to include details of the panic.
>>    
>>
>
>That would be really good to know.
>
>Then we'd finally know more than was given in
>http://www.freebsd.org/cgi/query-pr.cgi?pr=amd64/73211
>  
>

Sorry instead of getting a core dump I grabbed a FreeBSD AMD64 beta4 6.0 
ISO and put it on this server.
But I do have some good news in what I found.
Recompiled FAST_IPSEC into the kernel and rebooted it, it came up fine..
So then put in some ipsec security policies into /etc/ipsec.conf
ipsec_enable="YES"
and ran /etc/rc.d/ipsec start
and it ran fine.
I then installed ipsec-tools and loaded up the racoon daemon this also 
triggers a panic on my FreeBSD AMD64 6.0 laptop with out FAST_IPSEC 
being compiled into the kernel and its loaded up fine.
This looks all completely solid. I haven't been able to panic the server 
with a full VPN configuration activated.
The only thing I haven't done is tested if the IPSEC VPN actually can work.

This is no mistake this is AMD64 kernel FreeBSD with FAST_IPSEC I just 
cheated using the Intel EMT64

Regards,
Mike

beast# /sbin/sysctl -a | grep ipsec
  ipsecpolicy    16     4K       -      520  256
 ipsecrequest     2     1K       -        4  256
    ipsec-reg     3     1K       -       24  32
net.inet.ipsec.def_policy: 1
net.inet.ipsec.esp_trans_deflev: 1
net.inet.ipsec.esp_net_deflev: 1
net.inet.ipsec.ah_trans_deflev: 1
net.inet.ipsec.ah_net_deflev: 1
net.inet.ipsec.ah_cleartos: 1
net.inet.ipsec.ah_offsetmask: 0
net.inet.ipsec.dfbit: 0
net.inet.ipsec.ecn: 0
net.inet.ipsec.debug: 0
net.inet.ipsec.esp_randpad: -1
net.inet.ipsec.crypto_support: 0
net.inet6.ipsec6.def_policy: 1
net.inet6.ipsec6.esp_trans_deflev: 1
net.inet6.ipsec6.esp_net_deflev: 1
net.inet6.ipsec6.ah_trans_deflev: 1
net.inet6.ipsec6.ah_net_deflev: 1
net.inet6.ipsec6.ecn: 0
net.inet6.ipsec6.debug: 0
net.inet6.ipsec6.esp_randpad: -1
beast# uname -a
FreeBSD beast 6.0-BETA4 FreeBSD 6.0-BETA4 #0: Mon Sep 12 20:40:05 UTC 
2005     root@beast:/usr/obj/usr/src/sys/GENERIC_IPSEC  amd64




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?432567EF.2060800>