Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 17 Jul 2008 17:28:11 +0200
From:      "Ralf Hornik Mailings" <ralf@best.homeunix.org>
To:        freebsd-questions@freebsd.org
Subject:   Re: Using OpenBSD's isakmpd in FreeBSD
Message-ID:  <20080717172811.19282i42ayvmawis@www.ralf-hornik.de>
In-Reply-To: <20080717160027.13371z3sdsm60z9c@www.ralf-hornik.de>
References:  <20080717160027.13371z3sdsm60z9c@www.ralf-hornik.de>
next in thread | previous in thread | raw e-mail | index | archive | help 
Appendix:

The corresponding suite is:

[AES-SHA-GRP5-RSA_SIG]
ENCRYPTION_ALGORITHM=3D   AES_CBC
KEY_LENGTH=3D             256,128:256
HASH_ALGORITHM=3D         SHA
AUTHENTICATION_METHOD=3D  RSA_SIG
GROUP_DESCRIPTION=3D      MODP_1536

Might it be, that this aes cipher is missing in kernel?
A man (4) crypto shows:

----------------
Depending on hardware being present, the following symmetric and asymmet-
      ric cryptographic features are potentially available from /dev/crypto:

...
     CRYPTO_AES_CBC
...
----------------

For IPSec I added

option IPSEC
device crypto
device cryptodev
device hifn (for hifn card)

to the kernelfile.

Do I miss something else, or what else can I do?
Regards

Ralf

"Ralf Hornik Mailings" <ralf@best.homeunix.org> schreibte:

> Dear List,
>
> I want to switch my routers from openbsd to freebsd and use the port =20
> of isakmpd for my
> vpn tunnels.  But when I want to use my config from openbsd, isakmpd =20
> doesn't seem to
> configure aes in phase I proposal.
>
> The corresponding configentry is:
>
> [Default-main-mode]
> DOI=3D                    IPSEC
> EXCHANGE_TYPE=3D          ID_PROT
> Transforms=3D             AES-SHA-GRP5-RSA_SIG
>
> starting isakmpd shows up:
>
> ike_phase_1_initiator_send_SA: section [AES-SHA-GRP5-RSA_SIG] has =20
> unsupported attribute(s)
>
> When I use 3des insteed, isakmpd starts without errors.  But I MUST =20
> use aes in phase I
> because all remote peers use it, I cannot change them all.  Has =20
> anybody an idea, why
> isakmpd won't use aes in phase I but in phase II?
> Thank you and best Regards
>
> Ralf
>
> --=20
> alles bleibt anders...
>
>
>
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.or=
g"
>



--=20
alles bleibt anders...

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080717172811.19282i42ayvmawis>