Date: Mon, 03 Aug 2015 17:23:04 +0100 From: "George Neville-Neil" <gnn@neville-neil.com> To: "Sydney Meyer" <meyer.sydney@googlemail.com> Cc: "FreeBSD CURRENT" <freebsd-current@freebsd.org> Subject: Re: IPSEC stop works after r285336 Message-ID: <3D37A596-CC4A-446C-BBE7-27DC9DC7E1F7@neville-neil.com> In-Reply-To: <D7F8E74C-F58E-4051-A35A-3FCC44A0007F@googlemail.com> References: <20150729071732.GA78154@funkthat.com> <55B8CD6C.7080804@shurik.kiev.ua> <18D9D532-15B2-4B30-B088-74E7E4566254@googlemail.com> <20150801200137.GK78154@funkthat.com> <422BE6C0-B106-44E2-927A-7AE04885251F@googlemail.com> <20150802035359.GO78154@funkthat.com> <D7F8E74C-F58E-4051-A35A-3FCC44A0007F@googlemail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is being actively debugged and jmg@ and I have been testing a fix that should address this issue. Best, George On 3 Aug 2015, at 0:15, Sydney Meyer wrote: > Hi John-Mark, > > the revision i built included gnn's patches to setkey already. > > I have tried to setup a tunnel using strongswan with gcm as esp cipher > mode, but the connection fails with "algorithm AES_GCM_16 not > supported by kernel".. > > Here's the full log output: > > Aug 3 00:34:28 00[DMN] Starting IKE charon daemon (strongSwan 5.3.2, > FreeBSD 11.0-CURRENT, amd64) > Aug 3 00:34:28 00[KNL] unable to set UDP_ENCAP: Invalid argument > Aug 3 00:34:28 00[NET] enabling UDP decapsulation for IPv6 on port > 4500 failed > Aug 3 00:34:28 00[KNL] unable to set UDP_ENCAP: Invalid argument > Aug 3 00:34:28 00[NET] enabling UDP decapsulation for IPv4 on port > 4500 failed > Aug 3 00:34:28 00[CFG] loading ca certificates from > '/usr/local/etc/ipsec.d/cacerts' > Aug 3 00:34:28 00[CFG] loading aa certificates from > '/usr/local/etc/ipsec.d/aacerts' > Aug 3 00:34:28 00[CFG] loading ocsp signer certificates from > '/usr/local/etc/ipsec.d/ocspcerts' > Aug 3 00:34:28 00[CFG] loading attribute certificates from > '/usr/local/etc/ipsec.d/acerts' > Aug 3 00:34:28 00[CFG] loading crls from > '/usr/local/etc/ipsec.d/crls' > Aug 3 00:34:28 00[CFG] loading secrets from > '/usr/local/etc/ipsec.secrets' > Aug 3 00:34:28 00[CFG] loaded IKE secret for @moon.strongswan.org > @sun.strongswan.org > Aug 3 00:34:28 00[LIB] loaded plugins: charon aes des blowfish rc2 > sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey > pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf xcbc > cmac hmac gcm attr kernel-pfkey kernel-pfroute resolve socket-default > stroke updown eap-identity eap-md5 eap-mschapv2 eap-tls eap-ttls > eap-peap xauth-generic whitelist addrblock > Aug 3 00:34:28 00[JOB] spawning 16 worker threads > Aug 3 00:34:28 15[CFG] received stroke: add connection 'host-host' > Aug 3 00:34:28 15[CFG] added configuration 'host-host' > Aug 3 00:34:47 15[NET] received packet: from 10.0.30.109[500] to > 10.0.30.59[500] (448 bytes) > Aug 3 00:34:47 15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No > N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ] > Aug 3 00:34:47 15[IKE] 10.0.30.109 is initiating an IKE_SA > Aug 3 00:34:47 15[ENC] generating IKE_SA_INIT response 0 [ SA KE No > N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(MULT_AUTH) ] > Aug 3 00:34:47 15[NET] sending packet: from 10.0.30.59[500] to > 10.0.30.109[500] (448 bytes) > Aug 3 00:34:47 15[NET] received packet: from 10.0.30.109[4500] to > 10.0.30.59[4500] (282 bytes) > Aug 3 00:34:47 15[ENC] parsed IKE_AUTH request 1 [ IDi > N(INIT_CONTACT) IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) > N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) ] > Aug 3 00:34:47 15[CFG] looking for peer configs matching > 10.0.30.59[sun.strongswan.org]...10.0.30.109[moon.strongswan.org] > Aug 3 00:34:47 15[CFG] selected peer config 'host-host' > Aug 3 00:34:47 15[IKE] authentication of 'moon.strongswan.org' with > pre-shared key successful > Aug 3 00:34:47 15[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not > using ESPv3 TFC padding > Aug 3 00:34:47 15[IKE] peer supports MOBIKE > Aug 3 00:34:47 15[IKE] authentication of 'sun.strongswan.org' > (myself) with pre-shared key > Aug 3 00:34:47 15[IKE] IKE_SA host-host[1] established between > 10.0.30.59[sun.strongswan.org]...10.0.30.109[moon.strongswan.org] > Aug 3 00:34:47 15[IKE] scheduling reauthentication in 3416s > Aug 3 00:34:47 15[IKE] maximum IKE_SA lifetime 3596s > Aug 3 00:34:47 15[KNL] algorithm AES_GCM_16 not supported by kernel! > Aug 3 00:34:47 15[KNL] algorithm AES_GCM_16 not supported by kernel! > Aug 3 00:34:47 15[IKE] unable to install inbound and outbound IPsec > SA (SAD) in kernel > Aug 3 00:34:47 15[IKE] failed to establish CHILD_SA, keeping IKE_SA > Aug 3 00:34:47 15[KNL] unable to delete SAD entry with SPI c07a87b4: > No such file or directory (2) > Aug 3 00:34:47 15[KNL] unable to delete SAD entry with SPI c653554a: > No such file or directory (2) > Aug 3 00:34:47 15[ENC] generating IKE_AUTH response 1 [ IDr AUTH > N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_6_ADDR) N(NO_PROP) ] > Aug 3 00:34:47 15[NET] sending packet: from 10.0.30.59[4500] to > 10.0.30.109[4500] (159 bytes) > > I know that pfsense has moved from racoon to strongswan as their > ike-daemon, iirc mainly because of strongswans ikev2 daemon and their > GCM support. I'm going to try and have a look what changes pfsense may > have made to strongswan to support GCM on FreeBSD, although i should > probably mention, i am not very experienced at this. > > >> On 02 Aug 2015, at 05:53, John-Mark Gurney <jmg@funkthat.com> wrote: >> >> Sydney Meyer wrote this message on Sun, Aug 02, 2015 at 04:03 +0200: >>> i have tried your patches from your ipsecgcm branch. The build >>> completes, boots fine and indeed, dmesg shows "aesni0: >>> <AES-CBC,AES-XTS,AES-GCM,AES-ICM> on motherboard". >> >> Yeh, these patches are more about getting IPsec to work w/ the modes >> that aesni now supports... >> >>> I'm going to try out the new cipher modes tomorrow and will get >>> back.. >> >> Make sure you get the gnn's setkey changes in r286143 otherwise GCM >> and CTR won't work... >> >> Thanks for doing more testing.. I've only done basic ping tests, so >> passing more real traffic through would be nice... >> >>>> On 01 Aug 2015, at 22:01, John-Mark Gurney <jmg@funkthat.com> >>>> wrote: >>>> >>>> Sydney Meyer wrote this message on Wed, Jul 29, 2015 at 22:01 >>>> +0200: >>>>> Same here, fixed running r286015. Thanks a bunch. >>>> >>>> If you'd like to do some more testing, test the patches in: >>>> https://github.com/jmgurney/freebsd/tree/ipsecgcm >>>> >>>> These patches get GCM and CTR modes working as tested against >>>> NetBSD >>>> 6.1.5... >>>> >>>> Hope to commit these in the next few days.. >>>> >>>> Thanks. >>>> >>>>>> On 29 Jul 2015, at 14:56, Alexandr Krivulya >>>>>> <shuriku@shurik.kiev.ua> wrote: >>>>>> >>>>>> 29.07.2015 10:17, John-Mark Gurney ??????????: >>>>>>> Alexandr Krivulya wrote this message on Thu, Jul 23, 2015 at >>>>>>> 10:38 +0300: >>>>>>> >>>>>>> [...] >>>>>>> >>>>>>>> With r285535 all works fine. >>>>>>> Sydney Meyer wrote this message on Mon, Jul 27, 2015 at 23:49 >>>>>>> +0200: >>>>>>>> I'm having the same problem with IPSec, running -current with >>>>>>>> r285794. >>>>>>>> >>>>>>>> Don't know if this helps, but "netstat -s -p esp" shows packets >>>>>>>> dropped; bad ilen. >>>>>>> It looks like there was an issue w/ that commit... After >>>>>>> looking at >>>>>>> the code, and working w/ gnn, I have committed r286000 which >>>>>>> fixes it >>>>>>> in my test cases... >> >> -- >> John-Mark Gurney Voice: +1 415 225 5579 >> >> "All that I will do, has been done, All that I have, has not." > > _______________________________________________ > freebsd-current@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to > "freebsd-current-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3D37A596-CC4A-446C-BBE7-27DC9DC7E1F7>