From owner-freebsd-questions@FreeBSD.ORG Thu Jul 17 15:27:57 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BAAA41065678 for ; Thu, 17 Jul 2008 15:27:57 +0000 (UTC) (envelope-from ralf@best.homeunix.org) Received: from nasec.de (host-88-217-139-11.customer.m-online.net [88.217.139.11]) by mx1.freebsd.org (Postfix) with ESMTP id 5080E8FC27 for ; Thu, 17 Jul 2008 15:27:56 +0000 (UTC) (envelope-from ralf@best.homeunix.org) Received: from mail.ralf-hornik.de ([217.111.95.14]) by nasec.de (8.14.1/8.14.1) with ESMTP id m6HFS5mE023014 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Thu, 17 Jul 2008 17:28:06 +0200 Received: from localhost (localhost [127.0.0.1]) by mail.ralf-hornik.de (8.14.3/8.14.3) with ESMTP id m6HFSBOO017429 for ; Thu, 17 Jul 2008 17:28:11 +0200 Received: from 85.159.179.213-static.augustakom.net (85.159.179.213-static.augustakom.net [213.179.159.85]) by www.ralf-hornik.de (Horde Framework) with HTTP; Thu, 17 Jul 2008 17:28:11 +0200 Message-ID: <20080717172811.19282i42ayvmawis@www.ralf-hornik.de> Date: Thu, 17 Jul 2008 17:28:11 +0200 From: "Ralf Hornik Mailings" To: freebsd-questions@freebsd.org References: <20080717160027.13371z3sdsm60z9c@www.ralf-hornik.de> In-Reply-To: <20080717160027.13371z3sdsm60z9c@www.ralf-hornik.de> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: quoted-printable User-Agent: Internet Messaging Program (IMP) H3 (4.2) X-Spam-Score: 0.964 () BAYES_00,MIME_QP_LONG_LINE,RCVD_NUMERIC_HELO,RDNS_NONE X-Spam-Flag: NO X-Scanned-By: MIMEDefang 2.62 on 88.217.139.11 X-Scanned-By: MIMEDefang 2.63 on 172.16.0.2 Subject: Re: Using OpenBSD's isakmpd in FreeBSD X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Jul 2008 15:27:57 -0000 Appendix: The corresponding suite is: [AES-SHA-GRP5-RSA_SIG] ENCRYPTION_ALGORITHM=3D AES_CBC KEY_LENGTH=3D 256,128:256 HASH_ALGORITHM=3D SHA AUTHENTICATION_METHOD=3D RSA_SIG GROUP_DESCRIPTION=3D MODP_1536 Might it be, that this aes cipher is missing in kernel? A man (4) crypto shows: ---------------- Depending on hardware being present, the following symmetric and asymmet- ric cryptographic features are potentially available from /dev/crypto: ... CRYPTO_AES_CBC ... ---------------- For IPSec I added option IPSEC device crypto device cryptodev device hifn (for hifn card) to the kernelfile. Do I miss something else, or what else can I do? Regards Ralf "Ralf Hornik Mailings" schreibte: > Dear List, > > I want to switch my routers from openbsd to freebsd and use the port =20 > of isakmpd for my > vpn tunnels. But when I want to use my config from openbsd, isakmpd =20 > doesn't seem to > configure aes in phase I proposal. > > The corresponding configentry is: > > [Default-main-mode] > DOI=3D IPSEC > EXCHANGE_TYPE=3D ID_PROT > Transforms=3D AES-SHA-GRP5-RSA_SIG > > starting isakmpd shows up: > > ike_phase_1_initiator_send_SA: section [AES-SHA-GRP5-RSA_SIG] has =20 > unsupported attribute(s) > > When I use 3des insteed, isakmpd starts without errors. But I MUST =20 > use aes in phase I > because all remote peers use it, I cannot change them all. Has =20 > anybody an idea, why > isakmpd won't use aes in phase I but in phase II? > Thank you and best Regards > > Ralf > > --=20 > alles bleibt anders... > > > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.or= g" > --=20 alles bleibt anders...