[EMAIL PROTECTED] wrote: > >Is anyone doing IPsec here? I would like to talk about that as well. > >Have tried earlier to run Apache+modssl over IPv6 but that would not > >work (modssl did not work ... probably a name resolution problem or > >something.) > > Did you try apache with IPv6 patch? In that case, IPv6 patch > in the apache and the modssl part can interact in strange ways. > it is not supposed to work. do you mean intentionally? it is intentionally not working? Or is it just about modssl requiring an IPv6 patch? My guess is that modssl is doing some AF dependent stuff somewhere. It may be just the virtual host stuff ... is that working allright with the v6 patched Apache? > >Next step is to deploy IPsec. I want to push this a little > >beyond simple tunneling and static keying. Particularly I wonder how > >to do two things: (1) link IKE/racoon with a PKI and using site > >certificates, (2) setting up user-level authenticated IPsec > >associations. If IPsec/IPv6 is going to take over the world, these > >things need to be worked out properly, are they yet? > > If you would like to try IPsec, please be sure to upgrade to freebsd > 4.1 or more recent KAME kits (not the integrated one in 4.0). > if you use the suggested software, it should work without too much > trouble. Aha, thanks for the hint. I have been using IPsec already on 4.0 for some tests. But will upgrade to 4.1 as soon as it is released ... should be any day now. I am still afraid of tracking the stable branch, since it may one day break anyway... or not? In any case, I just ported netpipe-2.3 to IPv6 (patches to whom? do you guys at KAME want them or should I send them to the netpipe folks?) I have revised my earlier findings with netperf, that IPv4 and IPv6 perform differently, netpipe shows them as just about the same. But I have done some more comparison, an SSH tunnel that hops from localhost:5250->SSH[aurora->prometeus]->localhost:5251 is with 3des-cbc almost as fast as IPsec with 3des-cbc (SSH about 5-10% slower.) But using the blowfish-cbc cipher the outcome inverts! IPsec with blowfish compares terrible against the SSH tunnel (IPsec about 20% slower.) Something must be wrong with the blowfish implementation used in KAME or the SSH blowfish cheats. But, I also found the RC5 is performing best among the strong ciphers (even better than 1DES, especially at higher transfer buffer sizes.) Would always use RC5, but unfortunately if you set up IPsec tunnels to CISCO routers, you are bound to 1DES, isn't it true? I did not quite understand the setkey function. I tried to use ipcomp but could not get it to work (always complains about the -C deflate option that I choose.) What I wanted to try is to increase throughput by compression before encryption. I have calculated that theoretically it should improve throughput, since the compression leaves less data to choke on for the encryption. But I can't test it with IPsec. Is that possible at all to use ipcomp/deflate before ESP-ing? How come racoon is not part of the FreeBSD release in usr.sbin? I found it in ports. Is something wrong with it that it can't be trusted yet? thanks, nice chatting with you :-) regards -Gunther
begin:vcard n:Schadow;Gunther tel;fax:+1 317 630 6962 tel;home:+1 317 816 0516 tel;work:+1 317 630 7960 x-mozilla-html:FALSE url:http://aurora.rg.iupui.edu org:Regenstrief Institute for Health Care adr:;;1050 Wishard Blvd;Indianapolis;Indiana;46202;USA version:2.1 email;internet:[EMAIL PROTECTED] title:M.D., Medical Information Scientist note;quoted-printable:Al oppinions expressed in this message are my own and do =0D=0Anot necessarily represent those of the Regenstrief Institute. fn:Gunther Schadow end:vcard