My question is how does one properly load this module? I've tried loading it from the modules package (/etc/modules) but when I try to restart ipsec it fails becuase it can't unload the ipsec.o module due to the fact that it is in use by the ipsec_aes.o module.
I'm sure I'm missing something here. Should I replace the ipsec.o with ipsec_aes.o or add a stub to the shutdown/restart script to remove unload ipsec_aes.o first? Dumb questions I'm sure but we all have to learn somehow =-) ----- Original Message ----- From: "Roger E McClurg" <[EMAIL PROTECTED]> To: "Troy Aden" <[EMAIL PROTECTED]> Cc: "Charles Steinkuehler" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Wednesday, April 14, 2004 11:43 AM Subject: RE: [leaf-user] Bering 1.2 Throughput Test Results > Troy, > > It's not a dumb question. I just figured it out myself. In the connection > defaults, or in the specific connection you want to use aes, just add > esp=aes. Of course the ipsec-aes.o module must be loaded. > > Roger > > > > > > Troy Aden <Troy.Aden > @VCom.com> > 04/14/2004 10:13 AM > > To: Roger E McClurg/CEG/[EMAIL PROTECTED], Charles Steinkuehler > <[EMAIL PROTECTED]> > cc: [EMAIL PROTECTED] > Subject: RE: [leaf-user] Bering 1.2 Throughput Test Results > > > I am sure this question is a silly one but here it goes. > How do I go about changing the Encryption algorithm in Freeswan IPSec? > I am using Bering Uclibc 2.0. I am using FreeSwan IPSec with PSK's for my > connections. I did not see anything in the procedures for changing the > encryption algorithms that this package uses. I am assuming that I would > add > the module (ipsec_aes.o) to /lib/modules/. But can anyone please tell me > the > command that I need to put in the IPSec config file to tell it > specifically > what algorithm to use? > > Thanks in advance! > > Troy > > Here is what my config looks like: > > config setup > # THIS SETTING MUST BE CORRECT or almost nothing will work; > # %defaultroute is okay for most simple cases. > interfaces=%defaultroute > # Debug-logging controls: "none" for (almost) none, "all" for > lots. > klipsdebug=none > plutodebug=none > # Use auto= parameters in conn descriptions to control startup > actions. > plutoload=%search > plutostart=%search > # Close down old connection when new one using same ID shows up. > uniqueids=yes > > > > # defaults for subsequent connection descriptions > conn %default > # How persistent to be in (re)keying negotiations (0 means very). > keyingtries=0 > # RSA authentication with keys from DNS. > authby=secret > right=132.125.107.155 > rightsubnet=192.168.55.0/16 > rightnexthop=132.125.107.254 > pfs=yes > > conn block > auto=ignore > > conn private > auto=ignore > > conn private-or-clear > auto=ignore > > conn clear > auto=ignore > > conn packetdefault > auto=ignore > > conn troy > left=139.145.45.166 > leftsubnet=10.10.65.0/24 > leftnexthop=139.145.45.129 > auto=start > > Here is what comes up when I start a connection: > > ipsec whack --initiate --name test > 002 "troy" #152: initiating Main Mode > 104 "troy" #152: STATE_MAIN_I1: initiate > 106 "troy" #152: STATE_MAIN_I2: sent MI2, expecting MR2 > 108 "troy" #152: STATE_MAIN_I3: sent MI3, expecting MR3 > 002 "troy" #152: Main mode peer ID is ID_IPV4_ADDR: '139.145.45.166' > 002 "troy" #152: ISAKMP SA established > 004 "troy" #152: STATE_MAIN_I4: ISAKMP SA established > 002 "troy" #153: initiating Quick Mode > PSK+ENCRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK > 117 "troy" #153: STATE_QUICK_I1: initiate > 002 "troy" #153: sent QI2, IPsec SA established > 004 "troy" #153: STATE_QUICK_I2: sent QI2, IPsec SA established > > -----Original Message----- > From: Roger E McClurg [mailto:[EMAIL PROTECTED] > Sent: Wednesday, April 14, 2004 7:13 AM > To: Charles Steinkuehler > Cc: [EMAIL PROTECTED] > Subject: Re: [leaf-user] Bering 1.2 Throughput Test Results > > My apologies. I should have looked before I asked. It is in the Bering > modules, right where it should be. > > Roger > > -=-=-=--=-=-=-=-=-=-=-= > Charles, > > I'd love to run the tests. Where can I find the ipsec_aes.o module for > Bering 1.2? > > Roger > > > > > > Charles Steinkuehler <charles > @steinkuehler.net> > 04/13/2004 04:13 PM > > To: Roger E McClurg/CEG/[EMAIL PROTECTED] > cc: [EMAIL PROTECTED] > Subject: Re: [leaf-user] Bering 1.2 Throughput Test Results > > > Roger E McClurg wrote: > <snip> > > The next test was to FTP from the PC connected to the OpenBrick E to the > > > PC connected to a 500 Mhz P III running Bering 1.2. The transfer rate > was > > only 12.67 Mb/sec. The 3DES IPSEC encryption was certainly taking it's > > toll. > > > > Next we replaced both Bering machines with Nortel Contivity 1500 VPN > > devices. The Contivity is a popular VPN concentrator for small branch > > offices. It was designed specifically for the purpose of a VPN > > concentrator. Imagine our surprise when the Contivity transfer rate was > > only 4.45 Mb/sec. The Bering boxes were running weblet, shorewall, > > dnscache, dhcpd, ssh, sshd, sftp, snmp, and snmpd in addition to IPSEC, > > and yet they were almost three times faster than commercial VPN > > concentrators. > > If you want to have a bit more fun, switch your IPSec links to the new > AES (ipsec_aes.o) encryption algorithm. Designed to be more friendly to > modern CPU's with wide registers and SIMD (Single Instruction Multiple > Data) instruction sets (3DES is optimized for hardware, and doesn't > translate nicely into a byte/word oriented general-purpose CPU > algorithm), you should see a substantial increase in your transfer rates. > > 3DES is usually not much of a bottleneck (even with the 'slow' Nortel > devices), as usually the upstream WAN link is substantially slower than > the potential CPU throughput when compressing, but if you've got fast > pipes, you'll notice a drastic difference by choosing an alternate > encryption scheme. > > -- > Charles Steinkuehler > [EMAIL PROTECTED] > > > > > > ------------------------------------------------------- > This SF.Net email is sponsored by: IBM Linux Tutorials > Free Linux tutorial presented by Daniel Robbins, President and CEO of > GenToo technologies. Learn everything from fundamentals to system > administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click > ------------------------------------------------------------------------ > leaf-user mailing list: [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/leaf-user > SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html > > > > > ------------------------------------------------------- > This SF.Net email is sponsored by: IBM Linux Tutorials > Free Linux tutorial presented by Daniel Robbins, President and CEO of > GenToo technologies. Learn everything from fundamentals to system > administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click > ------------------------------------------------------------------------ > leaf-user mailing list: [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/leaf-user > SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
