Which operating systems are supported? What compile environment do I need? What kind of packets does the Toolkit need? Is any kernel-processing involved? What components does the Toolkit include? Which encryption algorithms are supported? Do you have any additional performance data? Is hardware acceleration supported? What are the memory, disk space and CPU requirements? Can the Toolkit work from behind a NAT device? Can Toolkit source code be licensed? Isn't the Pluto IKE Server under the GPL license? Does the toolkit support dyn-ip remote access users? What is the maximum number tunnels? How are VPN Tunnels configured? How many protocol bytes are added to packets? Are X.509 certificates supported?

Which operating systems are supported? Currently, the following operating systems are supported: Windows: 95, 98, Me, NT, 2000, 2003, XP 32-bit, XP 64-bit, Vista 32-bit Linux: 2.4 and 2.6 kernels OS/2: 3.0, 4.0, WSeB, eComStation 1.x FreeBSD 4.7+ (undergoing development - available on demand). Please note that the IPSec Toolkit does not include packet capture technology. You must already have access to raw IP packets or separately license e.g. F/X's packet intercepting toolkit. The Toolkit is developed in pure ANSI C and using an OS platform abstraction layer, porting to other Intel platforms is easy. Contact F/X Communications if your project requires porting to new operating systems.

What compile environment do I need? The IPSec Toolkit requires only commonly available components to compile: Windows: Microsoft Visual C 6.0+ Linux: GNU development tools (gcc, autoconf, make, etc) OS/2: Visual Age C++ 3.0 fixpack 8, or newer

What kind of packets does the Toolkit need? IPSec is a transparent security layer that needs kernel-level packet access. The Toolkit requires raw Ethernet frames, with full IP and MAC header information. When hardware acceleration is used, packets can be no bigger than 18K; otherwise 65K.

Is any kernel-processing involved? IPSec itself operates well in user-land. The context only switches to kernel-space when hardware acceleration is used, of course well compensated by call-back routines and a significant increase in the encryption performance.

What components does the Toolkit include? The IPSec Toolkit™ consists of the following structural modules: IPSec Engine ("IPSec") Performs security checks and packet transformation, including traffic authentication and encryption. Features such as AH, ESP, IPComp, NAT-T, Virtual IP support and configuration management belong to the IPSec engine. IKE Server ("Pluto") Complete standards-compliant implementation of the IKE protocol. The Pluto IKE server negotiates the security policy and relays it to the IPSec Engine. IPSec Interface Module ("IIDLL") The IIDLL module denotes an intermediate layer between Pluto and IPSec. Authentication Database ("FXAuth") The FXAuth module is invoked by Pluto to authenticate the client side of the IPSec tunnel. FXAuth interfaces the built-in server-side user database of X-authenticated VPN Clients. It is also possible to develop a plugin for FXAuth, which will access external storage of authentication info, e.g. MySQL. Portability Module ("FXUtil") FXUTIL is a multi-Platform abstraction library used by IPSec and FXAuth to maintain platform independence.

Which encryption algorithms are supported? The IPSec Toolkit implements the following ESP transformations: DES Triple DES (3DES) AES (NIST-approved Rijndael implementation) BlowFish NULL-ESP (no encryption - only tunneling)

Do you have any additional performance data? The following numbers are provided to help you get an impression of the basic IPSec performance: Maximum bandwidth with 1DES encryption: 9Mbit/sec (on a 1GHz CPU with 0.5-1KB sized packets). Maximum bandwidth with 3DES encryption: 3Mbit/sec (on a 1GHz CPU with 0.5-1KB sized packets). Average time to establish a tunnel: 1-3sec on high-bandwidth connections (such as a 10Mbit LAN) and 3-5sec on traditional modem dial-up. Average time to destroy a tunnel: 0sec (no CPU consuming activities involved). Maximum number of tunnels per second: 100-150 (on a 1GHz CPU with a 100Mbit connection). The time to establish a tunnel depends highly on the IKE Server configuration, user authentication options, and equipment at the opposing end-point). With hardware acceleration (with one NetOctave NSP2000 unit), the following performance numbers are available: Maximum bandwidth with 3DES encryption: 250Mbit/sec (on a 2.66GHz CPU with 0.5-1KB sized packets). Maximum bandwidth with 1DES encryption: 275Mbit/sec (on a 2.66GHz CPU with 0.5-1KB sized packets). Note: by limiting support to only a single instance of IPSec, accellerated performance data can be nearly doubled.

Is hardware acceleration supported? Yes. We support NetOctave's NSP2000 processors, which provide accelleration for the 3DES / DES / MD5 / SHA1 algorithms.

What are the memory, disk space and CPU requirements? The IPSec Toolkit™ standard minimum requirements are: PentiumR - class processor. 8MB of free memory. 8MB of free disk space. A supported Operating System must be installed. Long file name support (for compilation). A TCP/IP Stack must be present in the Operating System. Loop-back interface (defined as: 127.0.0.1). For each Security Association, the Toolkit requires roughly 3000 bytes. The IPSec Toolkit can be tailored to comply with embedded OEM requirements.

Can the Toolkit work from behind a NAT device? Yes. NAT Traversal (IETF drafts 3 and 2/1) allows transparent tunnel establishment through NAT devices. IPSec-aware NAT devices are also supported.

Can Toolkit source code be licensed? Pluto IKE Server source code is freely available, on demand. Complete source code for the IPSec Engine / FXAuth database / and other related components is available at extra cost. Contact F/X Communications for license and support options.

Isn't the Pluto IKE Server under the GPL license? Yes. We maintain a parallel copy of the Pluto IKE Server. Source code can be requested at info@fx.dk.

Does the toolkit support dyn-ip remote access users? The Toolkit supports Road Warriors (referring to people on the road), allowing the use of a single server-side tunnel definition to respond to a multitude of remote users (with dynamic IP addresses). The Toolkit also provides Extended Authentication, which increases security and allows a VPN Server to assign each remote user a static internal IP address (Virtual IP). Running VPN Servers on a dynamic IP address is possible with standard DNS lookup on the remote IP (but generally not recommended).

What is the maximum number tunnels? 1000 VPN Tunnels are supported by default. Support of more tunnels can be made available at compile time. The toolkit has been tested with more than 5000 concurrent IPSec tunnels.

How are VPN Tunnels configured? The tunnel definitions (a.k.a. SA database) can be read either from a text file (default), or the IPSec Engine can be initialized programmatically with SAs from e.g. the Windows registry / .ini files / etc. At run-time, it is possible to seamlessly insert and remove tunnels definitions, in real-time.

How many protocol bytes are added to packets? Generally, IPSec processing adds from 40 to 80 bytes per packet. The exact number depends on the protocols used, padding, and tunneling options. With IP compression enabled, IPSec packets can decrease in size.

Are X.509 certificates supported? Yes, full X.509 Digital Certificates support is available.

To the top