--- Preparing the serve --- => make sure you have an unwanted disk (we will wipe it) that is at least 5 Gigs in size. => Install FreeBSD 6.1 --- end --- --- Installing FreeBSD 6.1 --- We will only need disk1. Insert disk1 into CDROM and boot the default. Choose "226 - United States" at Country Selection. Choose "Standard" at sysinstall Main Menu. OK at Message. Select "A" at Partition Editor, then "S" to make the *s1 slice bootable (mine was ad0s1), then "Q" to get out. Choose "BootMGR" at Install Boot Manager screen. OK at Message. Select "A" at Disk Label Editor, then "T" to set the Newfs flag to Y on all the partitions except the swap. Make sure all the partitions, except the swap, have the "Y" flag at the end. Then select "Q" to get out. Select only "Kern-developer" at Choose Distribution. When asked if you want to install FreeBSD ports, answer "Yes". Press on TAB and confirm OK at "Choose Distribution". Choose "CD/DVD" at Choose Installation Media screen. The installation will now occur. If you get any massive errors here, it is because the partitioning didn't take. It happened here, and we do not know why it happens. If it happens, reboot and start over. It will happen only once. Select "yes" to Configure Ethernet. Pick your ethernet card (mine was vr0). NO to IPv6 YES to DHCP Give a hostname , and select OK YES to Network Gateway NO to Configure inetd YES to SSH login NO to Anonymous FTP NO to NFS server NO to NFS client NO to Customize System Console YES to Set Timezone NO to CMOS Set to UTC Choose region 2 at time Zone Selector. Choose "45 - United States" at Countries in America. Choose your proper time zone at next screen. Select Yes to Linux Binary Compatibility. Select No at PS2 Mouse. Select No at Browse Packages. YES to add an initial account. Select "User" at User and Group Management. Give your userid on hifn.xelerance.com as login ID, and set a password, and then select OK. Select "Exit" at User and Group Management screen. Select OK at Message. Enter a root password. Enter it again. Select No at Visit General Configuration. Select Exit at sysinstall Main Menu. Select Yes at "Are you Sure" screen. At the end of the install, the machine will reboot. Make sure to remove the CD from the drive at bootup. After the first reboot, the system will ask you to type a screenfull of characters to set entropy. Do so, and then: =>Login as root. portsnap fetch portsnap extract => Edit /etc/group and add your userid to the wheel group line. Save the file. cd /usr/ports/ftp/wget make install --- end --- --- Get OCF FreeBSD Kernel and compile kernel --- => As a regular user, scp the FreeBSD kernel from hifn.xelerance.com cd $HOME scp @hifn.xelerance.com:/hifn/MASTER/files/freebsd-6.1-ocf-81a211.tgz tar -xzvf freebsd-6.1-ocf-81a211.tgz cd freebsd-6.1-ocf-81a211 cd i386/conf config CATFISH cd ../compile/CATFISH make depend make =>As root: su root make install reboot --- Get the crypto tools --- => As a normal user, go to http://ocf-linux.sourceforge.net/ and download crypto-tools-20060331.tgz wget http://superb-west.dl.sourceforge.net/sourceforge/ocf-linux/crypto-tools-20060331.tar.gz tar -zxvf crypto-tools-20060331.tar.gz cd crypto-tools => Edit cryptokeytest.c and replace "#include " with "#include " make --- end --- --- Test with crypto-tools --- => Switch to root and run a test su - root cd ~ cd crypto-tools ./cryptotest -a 3des 100000 1400 =>You should see that with the Hifn card in, at least 150 Mb/sec. If the command returns immediatly without any output, it is because it cannot access any ocf devices, and since we ONLY enabled Hifn device in OCF, this means that we are either not booted into the correct kernel, or we did not enable OCF and Hifn card properly in the kernel config before we compiled the kernel. --- end --- --- Compile OpenSSL --- => As root: cd /usr/ports/security/openssl make install --- end --- --- Configure manual IPsec keying --- => As root, run the following: setkey -FP setkey -F set OURIP= set HISIP= set OURKEY=0x0123456789abcdef02468ace13579bdf123456789abcdef0 set HISKEY=0x0123456789abcdef02468ace13579bdf123456789abcdef0 set OURAUTH=0x123456789abcdef02468ace013579bdf set HISAUTH=0x123456789abcdef02468ace013579bdf setkey -vc << EOF add $OURIP $HISIP esp 0x100 -m transport -E 3des-cbc $HISKEY -A hmac-md5 $HISAUTH ; add $HISIP $OURIP esp 0x101 -m transport -E 3des-cbc $OURKEY -A hmac-md5 $OURAUTH ; spdadd $OURIP/32[any] $HISIP/32[any] any -P out ipsec esp/transport/$OURIP-$HISIP/require ; spdadd $HISIP/32[any] $OURIP/32[any] any -P in ipsec esp/transport/$HISIP-$OURIP/require ; EOF => Setup the other end; make sure to flip the value in OURIP, and HISIP. => Test by running "tcpdump -n -i vr0" in one window and running "ping " in another window. You should see only ESP packets flow, and not ICMP packets. --- end --- --- Testing the card with manually keyed IPsec --- => We use the flood parameter of the ping command to send as many packets as possible in a short amount of time. We don't even care if we get many responses back. As long as we get one ping packet back out of the whole bunch that we send out, then we know the link is good. => As root, on the platform with the card: time ping -c 100000 -l 100000 -s 1400 -f 192.168.88.68 => The important part is the CPU percentage. Without the card, the cpu percentage will be around 65%+, while with the card it will be hard to reach 9% CPU. --- end --- --- Filling /dev/random from the hifn card --- => You will need gnuplot for this test, so you can install it on any Linux box you have, or even on this FreeBSD server by doing, as root: cd /usr/ports/math/gnuplot make install => Now login as a regular user, and get the random testing script from hifn.xelerance.com: cd $HOME scp @hifn.xelerance.com:/hifn/MASTER/files/test1.pl . => Now we run the script to get some raw data: perl test1.pl > freebsd.hifn.dat => Once done, bring the .dat file to the machine where you installed gnuplot, then on that machine do: (echo "set terminal png" echo "set output 'freebsd.hifn.png'" echo "plot 'freebsd.hifn.dat'" ) | gnuplot -persist - => That will generate a file called freebsd.hifn.png. Use a web browser or a image viewer to have a look at it. You will need to compare with the ones on hifn.xelerance.com, Milestone2. --- end ---