linux-ipsec: Some FreeS/WAN docu

Hello,

I've updated and extended my online docu now to match the new KLIPS code. I have reorganized the pages a bit so it might become a REAL online docu with some more work... Here's the URL, from where you can access some more IPSec stuff I have collected on my Website:

http://www.imib.med.tu-dresden.de/imib/Internet/index.html

There are example scripts I have tested in my "lab". They should be easily adaptable to other configurations. Please tell me your comments on my pages, if they are useful this way.

Also quite interesting: I have done some performance testing in this environment using ttcp and a 24 MByte file (whcih can be hold in the cache, no HD access times therefore):

A --- B ====== C ====== D --- E

A - B ..... 10 MBit shared 
B - C - D . 100 MBit exclusive (only crossover TP-connected)
D - E ..... 10 MBit exclusive

1. 233 MHz, 64 MB B, C, D P133, >48 MB RAM
2. 200 MHz, 32 MB RAM

IPSec-Hosts: B and D

Tunnel Mode, encapsulating all traffic from A-net to E-net:

plain:             850 kByte/s
AH (HMAC-MD5):     760 kByte/s
ESP (3DES-MD5-96): 280 kByte/s ( :-(( )
both:              260 kByte/s ( ... )

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.freeswan.org Links 1998-fall 1998-spring 1998-summer 1998-winter 1999-winter announce briefs bugs design freeswan-list hipsec ietf-sectest users users-admin Request more information about Pantek

Transport Mode, B to D (100 MB)

plain:             10600 kByte/s
AH (HMAC-MD5):     2580  kByte/s
ESP (3DES-MD5-96): 340 kByte/s ( ... )
both:              312 kByte/s ( ... )

Two questions to the developers according to Transport Mode: When I set up a host route with "eroute": eroute add B-IP 255.255.255.255 C-IP 255.255.255.255 C-IP SPI this won't be host-to-host-tunneling, right? But you write, that transport mode only works on the same subnet for now, but I see encrypted packets (at least proto 50 / 51 with TCPdump, is there a TCPDUMP which shows ESP and AH "in clear"? I used the version from FreeS/WAN page...), and the time

Hope this helps a bit for a "wide deployment of IPSec with Linux",

Greetings
Kai

# Kai Martius #
Received on Thu May 14 09:55:56 1998