# Edgerouter Lite and IPSEC_NAT_T



## bartin (Feb 21, 2017)

I've just replaced a dying OpenWRT router on a remote site with a Edgerouter Lite running 11.0-RELEASE, wireless wasn't needed. But I do need IPSEC support from this router to another location. Unfortunately both ends of the IPSEC tunnel are behind NAT.

So I used Colin's buildimg.sh script to create a image for the platform. Only changes to the build was adding:
options IPSEC
options IPSEC_NAT_T
To the ERL kernel config. 

Now to the problem, adding IPSEC_NAT_T to the kernel and starting a "basic" racoon (from ipsec-tools)[1] crashes and reboots the ERL. Has anybody experienced something like this or have any advise for fixing it? 

At the moment I'm running OpenVPN to setup the tunnel, but even with cipher none the performance is nowhere near what I need (5-8Mbit/s on a 50/50Mbit/s line).

/Bjorn

[1] racoon.conf

```
# Simple racoon.conf
#

log notify;
path certificate "/usr/local/etc/cert";

padding {
        # options are not to be changed

        maximum_length  20;
        randomize       off;
        strict_check    off;
        exclusive_tail  off;
}

listen {
        adminsock disabled;
        isakmp  192.168.1.2 [500];
        isakmp_natt 192.168.1.2 [4500];
}


timer {
        counter 5;
        interval 20 sec;
        persend 1;
        natt_keepalive 30 sec;
        phase1 30 sec;
        phase2 15 sec;
}

remote anonymous {
        exchange_mode aggressive;
        certificate_type x509 "cert.crt" "cert.key";
        ca_type x509 "ca.crt";
        my_identifier asn1dn;
        nonce_size 16;
        initial_contact on;
        proposal_check claim;

        nat_traversal force;

        proposal {
                authentication_method rsasig;
                hash_algorithm sha1;
                encryption_algorithm aes 256;
                lifetime time 3600 sec;
                dh_group 2;
        }

        proposal {
                authentication_method rsasig;
                hash_algorithm sha1;
                encryption_algorithm aes;
                lifetime time 3600 sec;
                dh_group 2;
        }
}

sainfo anonymous {
    lifetime time 3600 sec;
    encryption_algorithm aes256;
    authentication_algorithm hmac_sha1, hmac_md5;
    compression_algorithm deflate;
    pfs_group modp2048;
}
```


----------



## Crest (Feb 22, 2017)

While the EdgeRouter Lite is a nice piece of gear without drivers for most of the offloading hardware it is just a slow 500MHz scalar dual-core MIPS64 big-endian system. By installing anything but EdgeOS you are limited to what those CPUs can get out of NICs without offloading hardware, but FreeBSD should support the hardware crypto engine which should be enough to get 50Mb/s IPsec throughput (depending on the average packet size).

MIPS is at best a Tier 2 and you can expect to run into problems. Please report them on bugs.freebsd.org and join the FreeBSD MIPS mailing list. Do you know how to save the crash dumps?


----------



## bartin (Feb 22, 2017)

Crest said:


> While the EdgeRouter Lite is a nice piece of gear without drivers for most of the offloading hardware it is just a slow 500MHz scalar dual-core MIPS64 big-endian system. By installing anything but EdgeOS you are limited to what those CPUs can get out of NICs without offloading hardware, but FreeBSD should support the hardware crypto engine which should be enough to get 50Mb/s IPsec throughput (depending on the average packet size).



I know, on paper it's pretty ideal for my use case. 



Crest said:


> MIPS is at best a Tier 2 and you can expect to run into problems. Please report them on bugs.freebsd.org and join the FreeBSD MIPS mailing list. Do you know how to save the crash dumps?



Yeah, that's the problem and why I came here first. The ERL is installed in a remote location, so creating the crash dumps and getting to them isn't easy. But I will see if I can't get another router for the location. That way I can debug the problem in a more controlled environment.


----------

