This is being actively debugged and jmg@ and I have been testing a fix
that should
address this issue.
Best,
George
On 3 Aug 2015, at 0:15, Sydney Meyer wrote:
Hi John-Mark,
the revision i built included gnn's patches to setkey already.
I have tried to setup a tunnel using strongswan with gcm as esp cipher
mode, but the connection fails with "algorithm AES_GCM_16 not
supported by kernel"..
Here's the full log output:
Aug 3 00:34:28 00[DMN] Starting IKE charon daemon (strongSwan 5.3.2,
FreeBSD 11.0-CURRENT, amd64)
Aug 3 00:34:28 00[KNL] unable to set UDP_ENCAP: Invalid argument
Aug 3 00:34:28 00[NET] enabling UDP decapsulation for IPv6 on port
4500 failed
Aug 3 00:34:28 00[KNL] unable to set UDP_ENCAP: Invalid argument
Aug 3 00:34:28 00[NET] enabling UDP decapsulation for IPv4 on port
4500 failed
Aug 3 00:34:28 00[CFG] loading ca certificates from
'/usr/local/etc/ipsec.d/cacerts'
Aug 3 00:34:28 00[CFG] loading aa certificates from
'/usr/local/etc/ipsec.d/aacerts'
Aug 3 00:34:28 00[CFG] loading ocsp signer certificates from
'/usr/local/etc/ipsec.d/ocspcerts'
Aug 3 00:34:28 00[CFG] loading attribute certificates from
'/usr/local/etc/ipsec.d/acerts'
Aug 3 00:34:28 00[CFG] loading crls from
'/usr/local/etc/ipsec.d/crls'
Aug 3 00:34:28 00[CFG] loading secrets from
'/usr/local/etc/ipsec.secrets'
Aug 3 00:34:28 00[CFG] loaded IKE secret for @moon.strongswan.org
@sun.strongswan.org
Aug 3 00:34:28 00[LIB] loaded plugins: charon aes des blowfish rc2
sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey
pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf xcbc
cmac hmac gcm attr kernel-pfkey kernel-pfroute resolve socket-default
stroke updown eap-identity eap-md5 eap-mschapv2 eap-tls eap-ttls
eap-peap xauth-generic whitelist addrblock
Aug 3 00:34:28 00[JOB] spawning 16 worker threads
Aug 3 00:34:28 15[CFG] received stroke: add connection 'host-host'
Aug 3 00:34:28 15[CFG] added configuration 'host-host'
Aug 3 00:34:47 15[NET] received packet: from 10.0.30.109[500] to
10.0.30.59[500] (448 bytes)
Aug 3 00:34:47 15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
Aug 3 00:34:47 15[IKE] 10.0.30.109 is initiating an IKE_SA
Aug 3 00:34:47 15[ENC] generating IKE_SA_INIT response 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(MULT_AUTH) ]
Aug 3 00:34:47 15[NET] sending packet: from 10.0.30.59[500] to
10.0.30.109[500] (448 bytes)
Aug 3 00:34:47 15[NET] received packet: from 10.0.30.109[4500] to
10.0.30.59[4500] (282 bytes)
Aug 3 00:34:47 15[ENC] parsed IKE_AUTH request 1 [ IDi
N(INIT_CONTACT) IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP)
N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Aug 3 00:34:47 15[CFG] looking for peer configs matching
10.0.30.59[sun.strongswan.org]...10.0.30.109[moon.strongswan.org]
Aug 3 00:34:47 15[CFG] selected peer config 'host-host'
Aug 3 00:34:47 15[IKE] authentication of 'moon.strongswan.org' with
pre-shared key successful
Aug 3 00:34:47 15[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not
using ESPv3 TFC padding
Aug 3 00:34:47 15[IKE] peer supports MOBIKE
Aug 3 00:34:47 15[IKE] authentication of 'sun.strongswan.org'
(myself) with pre-shared key
Aug 3 00:34:47 15[IKE] IKE_SA host-host[1] established between
10.0.30.59[sun.strongswan.org]...10.0.30.109[moon.strongswan.org]
Aug 3 00:34:47 15[IKE] scheduling reauthentication in 3416s
Aug 3 00:34:47 15[IKE] maximum IKE_SA lifetime 3596s
Aug 3 00:34:47 15[KNL] algorithm AES_GCM_16 not supported by kernel!
Aug 3 00:34:47 15[KNL] algorithm AES_GCM_16 not supported by kernel!
Aug 3 00:34:47 15[IKE] unable to install inbound and outbound IPsec
SA (SAD) in kernel
Aug 3 00:34:47 15[IKE] failed to establish CHILD_SA, keeping IKE_SA
Aug 3 00:34:47 15[KNL] unable to delete SAD entry with SPI c07a87b4:
No such file or directory (2)
Aug 3 00:34:47 15[KNL] unable to delete SAD entry with SPI c653554a:
No such file or directory (2)
Aug 3 00:34:47 15[ENC] generating IKE_AUTH response 1 [ IDr AUTH
N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_6_ADDR) N(NO_PROP) ]
Aug 3 00:34:47 15[NET] sending packet: from 10.0.30.59[4500] to
10.0.30.109[4500] (159 bytes)
I know that pfsense has moved from racoon to strongswan as their
ike-daemon, iirc mainly because of strongswans ikev2 daemon and their
GCM support. I'm going to try and have a look what changes pfsense may
have made to strongswan to support GCM on FreeBSD, although i should
probably mention, i am not very experienced at this.
On 02 Aug 2015, at 05:53, John-Mark Gurney <j...@funkthat.com> wrote:
Sydney Meyer wrote this message on Sun, Aug 02, 2015 at 04:03 +0200:
i have tried your patches from your ipsecgcm branch. The build
completes, boots fine and indeed, dmesg shows "aesni0:
<AES-CBC,AES-XTS,AES-GCM,AES-ICM> on motherboard".
Yeh, these patches are more about getting IPsec to work w/ the modes
that aesni now supports...
I'm going to try out the new cipher modes tomorrow and will get
back..
Make sure you get the gnn's setkey changes in r286143 otherwise GCM
and CTR won't work...
Thanks for doing more testing.. I've only done basic ping tests, so
passing more real traffic through would be nice...
On 01 Aug 2015, at 22:01, John-Mark Gurney <j...@funkthat.com>
wrote:
Sydney Meyer wrote this message on Wed, Jul 29, 2015 at 22:01
+0200:
Same here, fixed running r286015. Thanks a bunch.
If you'd like to do some more testing, test the patches in:
https://github.com/jmgurney/freebsd/tree/ipsecgcm
These patches get GCM and CTR modes working as tested against
NetBSD
6.1.5...
Hope to commit these in the next few days..
Thanks.
On 29 Jul 2015, at 14:56, Alexandr Krivulya
<shur...@shurik.kiev.ua> wrote:
29.07.2015 10:17, John-Mark Gurney ??????????:
Alexandr Krivulya wrote this message on Thu, Jul 23, 2015 at
10:38 +0300:
[...]
With r285535 all works fine.
Sydney Meyer wrote this message on Mon, Jul 27, 2015 at 23:49
+0200:
I'm having the same problem with IPSec, running -current with
r285794.
Don't know if this helps, but "netstat -s -p esp" shows packets
dropped; bad ilen.
It looks like there was an issue w/ that commit... After
looking at
the code, and working w/ gnn, I have committed r286000 which
fixes it
in my test cases...
--
John-Mark Gurney Voice: +1 415 225 5579
"All that I will do, has been done, All that I have, has not."
_______________________________________________
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to
"freebsd-current-unsubscr...@freebsd.org"
_______________________________________________
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
