Date: Fri, 10 Aug 2018 16:44:03 -0400 From: Mike Tancsa <mike@sentex.net> To: "David P. Discher" <dpd@dpdtech.com>, "Andrey V. Elsukov" <bu7cher@yandex.ru>, John-Mark Gurney <jmg@funkthat.com> Cc: freebsd-net@freebsd.org Subject: Re: Is if_ipsec/ipsec - AESNI accelerated ? Message-ID: <ef2e1dfe-bace-af46-6c64-fd387c646b0a@sentex.net> In-Reply-To: <BE275E67-A768-47E9-97D4-0A5E4FDC44EF@dpdtech.com> References: <D47976AF-A0AF-4A58-B80E-31E9DED96D26@dpdtech.com> <dc8bea35-1770-48d0-3662-c58e72bd3d2d@yandex.ru> <62E0C365-AD64-4383-8BA4-298AA0E292F4@dpdtech.com> <e9da62df-90e4-e45b-b073-c4c39555b38d@yandex.ru> <BE275E67-A768-47E9-97D4-0A5E4FDC44EF@dpdtech.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 8/9/2018 4:11 PM, David P. Discher wrote:
> [ pts/0 sjc2 util201:~ ]
> [ dpd ] > sudo setkey -D
> Password:
> 10.245.0.201 10.245.0.202
> esp mode=tunnel spi=60080461(0x0394c14d) reqid=12(0x0000000c)
> E: rijndael-cbc 79e053a5 221c6d48 31e4c98a 3ae8c8ed
^^^^^^^^ ^^^^^^^^ ^^^^^^^^ ^^^^^^^^
BTW, if you use a static psk, does not the above line essentially give
someone with access to the ESP traffic a way to decode your traffic ?
---Mike
> A: hmac-sha2-256 9f1a4188 7849ad94 41cfd974 a5e0570a cc7c54a5 c16f5ebc 6bb39fbb 212abce0
> seq=0x00000011 replay=4 flags=0x00000000 state=mature
> created: Aug 9 19:21:15 2018 current: Aug 9 19:38:13 2018
> diff: 1018(s) hard: 86400(s) soft: 69120(s)
> last: Aug 9 19:21:16 2018 hard: 0(s) soft: 0(s)
> current: 2652(bytes) hard: 0(bytes) soft: 0(bytes)
> allocated: 17 hard: 0 soft: 0
> sadb_seq=1 pid=2441 refcnt=1
> 10.245.0.202 10.245.0.201
> esp mode=tunnel spi=170852236(0x0a2eff8c) reqid=12(0x0000000c)
> E: rijndael-cbc 221239cf e0ddedc5 88f1f711 5e744723
> A: hmac-sha2-256 bf214e0e 73b27e42 1090a067 eaed9e2a d36d3ae7 529a40a1 bf5ea2c9 0e3f5f27
> seq=0x00000000 replay=4 flags=0x00000000 state=mature
> created: Aug 9 19:21:15 2018 current: Aug 9 19:38:13 2018
> diff: 1018(s) hard: 86400(s) soft: 69120(s)
> last: hard: 0(s) soft: 0(s)
> current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
> allocated: 0 hard: 0 soft: 0
> sadb_seq=0 pid=2441 refcnt=1
>
>
>
> [ pts/0 sjc2 util201:~ ]
> [ dpd ] > sudo setkey -D -P
> 172.30.1.12/30[any] 172.30.1.12/30[any] any
> in ipsec
> esp/tunnel/10.245.0.202-10.245.0.201/unique:12
> spid=22 seq=11 pid=2443 scope=global
> refcnt=1
> 172.30.1.4/30[any] 172.30.1.4/30[any] any
> in ipsec
> esp/tunnel/10.245.0.203-10.245.0.201/unique:4
> spid=24 seq=10 pid=2443 scope=global
> refcnt=1
> 0.0.0.0/0[any] 0.0.0.0/0[any] any
> in ipsec
> esp/tunnel/10.245.0.202-10.245.0.201/unique:12
> spid=5 seq=9 pid=2443 scope=ifnet ifname=ipsec12
> refcnt=1
> ::/0[any] ::/0[any] any
> in ipsec
> esp/tunnel/10.245.0.202-10.245.0.201/unique:12
> spid=7 seq=8 pid=2443 scope=ifnet ifname=ipsec12
> refcnt=1
> 0.0.0.0/0[any] 0.0.0.0/0[any] any
> in ipsec
> esp/tunnel/10.245.0.203-10.245.0.201/unique:4
> spid=13 seq=7 pid=2443 scope=ifnet ifname=ipsec4
> refcnt=1
> ::/0[any] ::/0[any] any
> in ipsec
> esp/tunnel/10.245.0.203-10.245.0.201/unique:4
> spid=15 seq=6 pid=2443 scope=ifnet ifname=ipsec4
> refcnt=1
> 172.30.1.12/30[any] 172.30.1.12/30[any] any
> out ipsec
> esp/tunnel/10.245.0.201-10.245.0.202/unique:12
> spid=21 seq=5 pid=2443 scope=global
> refcnt=1
> 172.30.1.4/30[any] 172.30.1.4/30[any] any
> out ipsec
> esp/tunnel/10.245.0.201-10.245.0.203/unique:4
> spid=23 seq=4 pid=2443 scope=global
> refcnt=1
> 0.0.0.0/0[any] 0.0.0.0/0[any] any
> out ipsec
> esp/tunnel/10.245.0.201-10.245.0.202/unique:12
> spid=6 seq=3 pid=2443 scope=ifnet ifname=ipsec12
> refcnt=1
> ::/0[any] ::/0[any] any
> out ipsec
> esp/tunnel/10.245.0.201-10.245.0.202/unique:12
> spid=8 seq=2 pid=2443 scope=ifnet ifname=ipsec12
> refcnt=1
> 0.0.0.0/0[any] 0.0.0.0/0[any] any
> out ipsec
> esp/tunnel/10.245.0.201-10.245.0.203/unique:4
> spid=14 seq=1 pid=2443 scope=ifnet ifname=ipsec4
> refcnt=1
> ::/0[any] ::/0[any] any
> out ipsec
> esp/tunnel/10.245.0.201-10.245.0.203/unique:4
> spid=16 seq=0 pid=2443 scope=ifnet ifname=ipsec4
> refcnt=1
>
>
> --
> David P. Discher
> https://davidpdischer.com/
> 408.368.3725 • dpd@dpdtech.com
>
> _______________________________________________
> freebsd-net@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
>
>
--
-------------------
Mike Tancsa, tel +1 519 651 3400 x203
Sentex Communications, mike@sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ef2e1dfe-bace-af46-6c64-fd387c646b0a>