From owner-freebsd-net@FreeBSD.ORG Tue Dec 2 02:20:25 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 16958106564A for ; Tue, 2 Dec 2008 02:20:25 +0000 (UTC) (envelope-from jiabwang@redhat.com) Received: from mx2.redhat.com (mx2.redhat.com [66.187.237.31]) by mx1.freebsd.org (Postfix) with ESMTP id 07C368FC19 for ; Tue, 2 Dec 2008 02:20:25 +0000 (UTC) (envelope-from jiabwang@redhat.com) Received: from int-mx2.corp.redhat.com (int-mx2.corp.redhat.com [172.16.27.26]) by mx2.redhat.com (8.13.8/8.13.8) with ESMTP id mB22KOhe016786 for ; Mon, 1 Dec 2008 21:20:24 -0500 Received: from ns3.rdu.redhat.com (ns3.rdu.redhat.com [10.11.255.199]) by int-mx2.corp.redhat.com (8.13.1/8.13.1) with ESMTP id mB22KN1t018612 for ; Mon, 1 Dec 2008 21:20:24 -0500 Received: from [10.66.65.20] (dhcp-65-20.nay.redhat.com [10.66.65.20]) by ns3.rdu.redhat.com (8.13.8/8.13.8) with ESMTP id mB22KMZh010528 for ; Mon, 1 Dec 2008 21:20:23 -0500 Message-ID: <49349B93.40208@redhat.com> Date: Tue, 02 Dec 2008 10:21:07 +0800 From: wang_jiabo User-Agent: Thunderbird 2.0.0.14 (X11/20080515) MIME-Version: 1.0 To: freebsd-net@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.58 on 172.16.27.26 Subject: [ipsec]could you help me explain where problem is for aes-ctr of ESP X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Dec 2008 02:20:25 -0000 Hello, all: following is my setkey configration. I can get SAD and SPD. but when I run " ping6 -I rl0 3ffe:501:ffff:103:20a:ebff:fe85:9e56 " on FreeBSD FreeBSD report: kernel: esp_aesctr_decrypt aes-ctr:payload length must be multiple of 16 kernel: decrypt fail in IPv6 ESP input : SA(SPI 8192 src=3ffe:0501:ffff:0103:020a:ebff:fe85:9e56 dst=3ffe:0501:ffff:0104:021d:0fff:fe19:59fc) but when I use "ping6 -I rl0 -s 4(or 6 or 20) 3ffe:501:ffff:103:20a:ebff:fe85:9e56" that the report disappear. I read RFC, did not find the explain. could you give me a explain? Thanks on RedHat (ipsec-tools 0.6.5) #!/sbin/setkey -f flush; spdflush; add 3ffe:501:ffff:104:21d:fff:fe19:59fc 3ffe:501:ffff:103:20a:ebff:fe85:9e56 esp 0x1000 -m transport -E aes-ctr "ipv6readylogoaes2to1" -A hmac-sha1 "ipv6readylogsha12to1"; spdadd 3ffe:501:ffff:104:21d:fff:fe19:59fc 3ffe:501:ffff:103:20a:ebff:fe85:9e56 any -P in ipsec esp/transport//require; add 3ffe:501:ffff:103:20a:ebff:fe85:9e56 3ffe:501:ffff:104:21d:fff:fe19:59fc esp 0x2000 -m transport -E aes-ctr "ipv6readylogoaes1to2" -A hmac-sha1 "ipv6readylogsha11to2"; spdadd 3ffe:501:ffff:103:20a:ebff:fe85:9e56 3ffe:501:ffff:104:21d:fff:fe19:59fc any -P out ipsec esp/transport//require; on FreeBSD6.3(ipsec-tools 0.7, using 0.6.6, problem keep still ) flush; spdflush; add 3ffe:501:ffff:103:20a:ebff:fe85:9e56 3ffe:501:ffff:104:21d:fff:fe19:59fc esp 0x2000 -m transport -E aes-ctr "ipv6readylogoaes1to2" -A hmac-sha1 "ipv6readylogsha11to2"; spdadd 3ffe:501:ffff:103:20a:ebff:fe85:9e56 3ffe:501:ffff:104:21d:fff:fe19:59fc any -P in ipsec esp/transport//require; add 3ffe:501:ffff:104:21d:fff:fe19:59fc 3ffe:501:ffff:103:20a:ebff:fe85:9e56 esp 0x1000 -m transport -E aes-ctr "ipv6readylogoaes2to1" -A hmac-sha1 "ipv6readylogsha12to1"; spdadd 3ffe:501:ffff:104:21d:fff:fe19:59fc 3ffe:501:ffff:103:20a:ebff:fe85:9e56 any -P out ipsec esp/transport//require;