I've just replaced a dying OpenWRT router on a remote site with a Edgerouter Lite running 11.0-RELEASE, wireless wasn't needed. But I do need IPSEC support from this router to another location. Unfortunately both ends of the IPSEC tunnel are behind NAT.
So I used Colin's buildimg.sh script to create a image for the platform. Only changes to the build was adding:
options IPSEC
options IPSEC_NAT_T
To the ERL kernel config.
Now to the problem, adding IPSEC_NAT_T to the kernel and starting a "basic" racoon (from ipsec-tools)[1] crashes and reboots the ERL. Has anybody experienced something like this or have any advise for fixing it?
At the moment I'm running OpenVPN to setup the tunnel, but even with cipher none the performance is nowhere near what I need (5-8Mbit/s on a 50/50Mbit/s line).
/Bjorn
[1] racoon.conf
So I used Colin's buildimg.sh script to create a image for the platform. Only changes to the build was adding:
options IPSEC
options IPSEC_NAT_T
To the ERL kernel config.
Now to the problem, adding IPSEC_NAT_T to the kernel and starting a "basic" racoon (from ipsec-tools)[1] crashes and reboots the ERL. Has anybody experienced something like this or have any advise for fixing it?
At the moment I'm running OpenVPN to setup the tunnel, but even with cipher none the performance is nowhere near what I need (5-8Mbit/s on a 50/50Mbit/s line).
/Bjorn
[1] racoon.conf
Code:
# Simple racoon.conf
#
log notify;
path certificate "/usr/local/etc/cert";
padding {
# options are not to be changed
maximum_length 20;
randomize off;
strict_check off;
exclusive_tail off;
}
listen {
adminsock disabled;
isakmp 192.168.1.2 [500];
isakmp_natt 192.168.1.2 [4500];
}
timer {
counter 5;
interval 20 sec;
persend 1;
natt_keepalive 30 sec;
phase1 30 sec;
phase2 15 sec;
}
remote anonymous {
exchange_mode aggressive;
certificate_type x509 "cert.crt" "cert.key";
ca_type x509 "ca.crt";
my_identifier asn1dn;
nonce_size 16;
initial_contact on;
proposal_check claim;
nat_traversal force;
proposal {
authentication_method rsasig;
hash_algorithm sha1;
encryption_algorithm aes 256;
lifetime time 3600 sec;
dh_group 2;
}
proposal {
authentication_method rsasig;
hash_algorithm sha1;
encryption_algorithm aes;
lifetime time 3600 sec;
dh_group 2;
}
}
sainfo anonymous {
lifetime time 3600 sec;
encryption_algorithm aes256;
authentication_algorithm hmac_sha1, hmac_md5;
compression_algorithm deflate;
pfs_group modp2048;
}