From owner-freebsd-net@freebsd.org  Mon Nov 27 05:21:38 2017
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7466EDF9350
 for <freebsd-net@mailman.ysv.freebsd.org>;
 Mon, 27 Nov 2017 05:21:38 +0000 (UTC)
 (envelope-from freebsd@disroot.org)
Received: from disroot.org (bs-one.disroot.org [178.21.23.139])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 3D3EC643A5
 for <freebsd-net@freebsd.org>; Mon, 27 Nov 2017 05:21:37 +0000 (UTC)
 (envelope-from freebsd@disroot.org)
Received: from localhost (localhost [127.0.0.1])
 by disroot.org (Postfix) with ESMTP id F40CB29C39
 for <freebsd-net@freebsd.org>; Mon, 27 Nov 2017 06:15:14 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=disroot.org; s=mail;
 t=1511759715; bh=mYANuyGEak0yh4H0IhedlDoUku+4CcjkrPVdu7QVOr0=;
 h=To:From:Subject:Date;
 b=sH+QO+lhTZdmc0eOqTnRtMLLHYD89BIWLpDz2ZKK8uhgQKKC4SuTWnEHHMp7pWGOr
 lY0tLqsvqkPjS42RILJIqeF9iSBRaiXjGTTOA16H8zL9Zz0GPYauZpFP31m30/Vuk9
 AxxyUvogXlieiCfQgvJT44ABcQSDL0J7UXGAbqz0=
X-Virus-Scanned: Debian amavisd-new at disroot.org
Received: from disroot.org ([127.0.0.1])
 by localhost (mail01.disroot.lan [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id dgDvmjB6OE06 for <freebsd-net@freebsd.org>;
 Mon, 27 Nov 2017 06:15:13 +0100 (CET)
To: freebsd-net@freebsd.org
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=disroot.org; s=mail;
 t=1511759713; bh=mYANuyGEak0yh4H0IhedlDoUku+4CcjkrPVdu7QVOr0=;
 h=To:From:Subject:Date;
 b=qn2L0SgEI5cERWcrEaLSBP7cWkeKz4xYOFQFLA36YpAYyfY8UKLo5OCSmPYCjiope
 DBUsDymSuphvKy+Z6xVKK3fvRHDdvgx3+btSWb6Cb9WEyM7KPdDdv+6KI4SDJgN6sO
 x196Nr5l1vFk841q74KMZz8Kx4gEKNjlk+qEPUFI=
From: "Peter G." <freebsd@disroot.org>
Subject: Static IPsec (via setkey) and -A aes-xcbc-mac, how to?
Message-ID: <faa08146-39f4-5ece-ce65-792113898ffc@disroot.org>
Date: Mon, 27 Nov 2017 06:15:10 +0100
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Nov 2017 05:21:38 -0000

Hi, can somebody please show me the correct syntax of setting static SA 
with aes-xcbc-mac authentication? I checked rfc3566, my "base" 
encryption algo is aes-128, aes-xcbc-mac is supposed to work with a 
128-bit (16 characters) long key. I don't seem to be able to set it up, 
though.

Example (aes-cbc 128bit + supposedly aes-xcbc-mac):

add 10.10.1.1 10.10.2.2 esp 400 -m transport -u 400 -E rijndael-cbc 
"abcdefghijklmnop" -A aes-xcbc-mac "1234567890123456";

ends up in an error:

line 5: Not supported at [1234567890123456]
parse failed, line 5.

The same syntax and appropriate key length work with anything else, e.g. 
hmac-sha2-256 with 32 character long key works just fine.

Please advice.

PG