Re: NetBSD IP security in practice

[Edgar Fuß <ef%math.uni-bonn.de@localhost>]

> Who among us is using IP security in practice (production)?
We have been using IPsec in production until a year or two ago.
During that period, we were physically split across two sites. At times, we 
even had most of the ~150 clients at the new site, but nearly all of the 
servers (including NFS and LDAP) at the old site because the server room at the 
new site was still under construction! So we tunneled accross the university 
network.

> Are you using it just for VPN/tunneling, or in transport mode?
We were using an IPsec ESP tunnel and racoon with fixed master secrets.

> How well does it perform?
At the slower end, we had an old P4 machine which could almost cope with the 
100MBit connectivity there.

> What quirks does it have?
I don't remember. We had one strange issue with pf which, on one end, sometimes 
consistently eated up the SYN packets of the TCP handshake. It would, from time 
to time, seem to  randomly chose a client to sabotage and then drop its SYNs 
for some minutes. No, no errors in the configuration: all block rules had `log' 
in them and nothing was logged.
We never managed to track this down and circumvented it by switching from pf to 
ipf.

> How does our documentation stack up? Was it clear enough by itself,
> or did you have to consult other sources to get IP security to work on NetBSD?
I think I set it up with the documentation only, but maybe I used other sources 
like my bookshelf, Wikipedia or the like.

All this was on 4.0.1, 386 on one and amd64 on the other end.
Of course, it was not exactly fun to have some hundred NFS clients connected to 
the server through a 100MBit tunnel plus IPsec latency, but it did work! We 
even installed new machines (with FAI) across the tunnel.