[Soekris] Hi/fn cards and SSH...
Andy Michaels
lego at therac25.net
Fri Mar 16 14:32:59 UTC 2007
On Fri, 16 Mar 2007, Stuart Henderson wrote:
> On 2007/03/16 10:04, Andy Michaels wrote:
>>> using sysctl 'kern.usercrypto=0' (see /etc/sysctl.conf) will allow
>>> the card to be used for IPsec which doesn't have reported problems,
>>> and disable it for userland which does.
>>
>> So the problem only exists if I run the crypto code in userland?
>
> the only time I've heard mention of the problem is when userland
> crypto is accelerated by the hifn cards.
>
>> Maybe I don't completely understand the situation, but when you say
>> "used for IPSEC", does this imply that IPSEC is run as part of the
>> kernel
>
> Yes, that's right. isakmpd runs in userland and sets up the flows,
> but the actual crypto is done in-kernel.
>
>> and that say, L2TP is not?
>
> afaik there's no L2TP implementation that works with OpenBSD,
> feel free to correct me if I'm wrong (especially if it's L2TPv3)
>
> (I think L2TP is usually protected by underlying IPsec though)
>
>> What about OpenVPN?
>
> OpenVPN runs in userland, so disabling usercrypto would stop it
> being accelerated. I don't know whether it's affected by the bug,
> but if you test and find that it does work ok, you could always
> disable the hardware-accelerated ciphers in sshd - see Ciphers
> in sshd_config(5) - and continue to use them for OpenVPN.
>
Thanks for the clarifications, Stuart! So, if I'm going to run OpenVPN,
it doesn't seem to make sense to purchase the VPN accelerator.
-Andy
More information about the Soekris-tech
mailing list