From owner-freebsd-current@freebsd.org  Tue Aug  4 15:22:05 2015
Return-Path: <owner-freebsd-current@freebsd.org>
Delivered-To: freebsd-current@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id A19719B3765
 for <freebsd-current@mailman.ysv.freebsd.org>;
 Tue,  4 Aug 2015 15:22:05 +0000 (UTC)
 (envelope-from gnn@neville-neil.com)
Received: from smtp.hungerhost.com (smtp.hungerhost.com [216.38.53.177])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 78A7C1CA0
 for <freebsd-current@freebsd.org>; Tue,  4 Aug 2015 15:22:05 +0000 (UTC)
 (envelope-from gnn@neville-neil.com)
Received: from global-1-30.nat.csx.cam.ac.uk ([131.111.184.30]:61301
 helo=[172.17.218.186])
 by vps.hungerhost.com with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256)
 (Exim 4.85) (envelope-from <gnn@neville-neil.com>)
 id 1ZMe2V-0006v4-IQ; Tue, 04 Aug 2015 11:22:03 -0400
From: "George Neville-Neil" <gnn@neville-neil.com>
To: "Sydney Meyer" <meyer.sydney@googlemail.com>
Cc: "FreeBSD CURRENT" <freebsd-current@freebsd.org>
Subject: Re: IPSEC stop works after r285336
Date: Tue, 04 Aug 2015 16:21:51 +0100
Message-ID: <2A67BE23-CBA2-4AD6-A8EB-7D3DB7B56760@neville-neil.com>
In-Reply-To: <E1C6203C-B322-446F-B681-4B306D999C6A@googlemail.com>
References: <20150729071732.GA78154@funkthat.com>
 <55B8CD6C.7080804@shurik.kiev.ua>
 <18D9D532-15B2-4B30-B088-74E7E4566254@googlemail.com>
 <20150801200137.GK78154@funkthat.com>
 <422BE6C0-B106-44E2-927A-7AE04885251F@googlemail.com>
 <20150802035359.GO78154@funkthat.com>
 <D7F8E74C-F58E-4051-A35A-3FCC44A0007F@googlemail.com>
 <3D37A596-CC4A-446C-BBE7-27DC9DC7E1F7@neville-neil.com>
 <E1C6203C-B322-446F-B681-4B306D999C6A@googlemail.com>
MIME-Version: 1.0
Content-Type: text/plain; format=flowed
X-Mailer: MailMate (1.9.2r5107)
X-AntiAbuse: This header was added to track abuse,
 please include it with any abuse report
X-AntiAbuse: Primary Hostname - vps.hungerhost.com
X-AntiAbuse: Original Domain - freebsd.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - neville-neil.com
X-Get-Message-Sender-Via: vps.hungerhost.com: authenticated_id:
 gnn@neville-neil.com
X-Source: 
X-Source-Args: 
X-Source-Dir: 
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
 <freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current/>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
 <mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Aug 2015 15:22:05 -0000

Two things you might do to help.

The first is just send out a list of what you are testing so we know.

The second is to contribute configs and the like to the netperf repo

https://github.com/gvnn3/netperf

We take pull requests :-)

Best,
George

On 3 Aug 2015, at 23:20, Sydney Meyer wrote:

> Besides strongswan (actually, i don't know of any other ike-daemon 
> which supports aes-gcm, apart from netbsd's racoon) connections with 
> manually set up policies indeed seem to work fine, host-host iperf 
> stuff, nothing fancy yet.
>
> Anyway, i will start playing around with this in some more scenarios 
> and let you guys know if i come around any problems.
>
> If you would like me to test something specific, please let me know if 
> i can help.
>
> Cheers,
> S.
>
>> On 03 Aug 2015, at 18:23, George Neville-Neil <gnn@neville-neil.com> 
>> wrote:
>>
>> This is being actively debugged and jmg@ and I have been testing a 
>> fix that should
>> address this issue.
>>
>> Best,
>> George
>>
>>
>> On 3 Aug 2015, at 0:15, Sydney Meyer wrote:
>>
>>> Hi John-Mark,
>>>
>>> the revision i built included gnn's patches to setkey already.
>>>
>>> I have tried to setup a tunnel using strongswan with gcm as esp 
>>> cipher mode, but the connection fails with "algorithm AES_GCM_16 not 
>>> supported by kernel"..
>>>
>>> Here's the full log output:
>>>
>>> Aug  3 00:34:28 00[DMN] Starting IKE charon daemon (strongSwan 
>>> 5.3.2, FreeBSD 11.0-CURRENT, amd64)
>>> Aug  3 00:34:28 00[KNL] unable to set UDP_ENCAP: Invalid argument
>>> Aug  3 00:34:28 00[NET] enabling UDP decapsulation for IPv6 on port 
>>> 4500 failed
>>> Aug  3 00:34:28 00[KNL] unable to set UDP_ENCAP: Invalid argument
>>> Aug  3 00:34:28 00[NET] enabling UDP decapsulation for IPv4 on port 
>>> 4500 failed
>>> Aug  3 00:34:28 00[CFG] loading ca certificates from 
>>> '/usr/local/etc/ipsec.d/cacerts'
>>> Aug  3 00:34:28 00[CFG] loading aa certificates from 
>>> '/usr/local/etc/ipsec.d/aacerts'
>>> Aug  3 00:34:28 00[CFG] loading ocsp signer certificates from 
>>> '/usr/local/etc/ipsec.d/ocspcerts'
>>> Aug  3 00:34:28 00[CFG] loading attribute certificates from 
>>> '/usr/local/etc/ipsec.d/acerts'
>>> Aug  3 00:34:28 00[CFG] loading crls from 
>>> '/usr/local/etc/ipsec.d/crls'
>>> Aug  3 00:34:28 00[CFG] loading secrets from 
>>> '/usr/local/etc/ipsec.secrets'
>>> Aug  3 00:34:28 00[CFG]   loaded IKE secret for @moon.strongswan.org 
>>> @sun.strongswan.org
>>> Aug  3 00:34:28 00[LIB] loaded plugins: charon aes des blowfish rc2 
>>> sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey 
>>> pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf xcbc 
>>> cmac hmac gcm attr kernel-pfkey kernel-pfroute resolve 
>>> socket-default stroke updown eap-identity eap-md5 eap-mschapv2 
>>> eap-tls eap-ttls eap-peap xauth-generic whitelist addrblock
>>> Aug  3 00:34:28 00[JOB] spawning 16 worker threads
>>> Aug  3 00:34:28 15[CFG] received stroke: add connection 'host-host'
>>> Aug  3 00:34:28 15[CFG] added configuration 'host-host'
>>> Aug  3 00:34:47 15[NET] received packet: from 10.0.30.109[500] to 
>>> 10.0.30.59[500] (448 bytes)
>>> Aug  3 00:34:47 15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No 
>>> N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
>>> Aug  3 00:34:47 15[IKE] 10.0.30.109 is initiating an IKE_SA
>>> Aug  3 00:34:47 15[ENC] generating IKE_SA_INIT response 0 [ SA KE No 
>>> N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(MULT_AUTH) ]
>>> Aug  3 00:34:47 15[NET] sending packet: from 10.0.30.59[500] to 
>>> 10.0.30.109[500] (448 bytes)
>>> Aug  3 00:34:47 15[NET] received packet: from 10.0.30.109[4500] to 
>>> 10.0.30.59[4500] (282 bytes)
>>> Aug  3 00:34:47 15[ENC] parsed IKE_AUTH request 1 [ IDi 
>>> N(INIT_CONTACT) IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) 
>>> N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
>>> Aug  3 00:34:47 15[CFG] looking for peer configs matching 
>>> 10.0.30.59[sun.strongswan.org]...10.0.30.109[moon.strongswan.org]
>>> Aug  3 00:34:47 15[CFG] selected peer config 'host-host'
>>> Aug  3 00:34:47 15[IKE] authentication of 'moon.strongswan.org' with 
>>> pre-shared key successful
>>> Aug  3 00:34:47 15[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not 
>>> using ESPv3 TFC padding
>>> Aug  3 00:34:47 15[IKE] peer supports MOBIKE
>>> Aug  3 00:34:47 15[IKE] authentication of 'sun.strongswan.org' 
>>> (myself) with pre-shared key
>>> Aug  3 00:34:47 15[IKE] IKE_SA host-host[1] established between 
>>> 10.0.30.59[sun.strongswan.org]...10.0.30.109[moon.strongswan.org]
>>> Aug  3 00:34:47 15[IKE] scheduling reauthentication in 3416s
>>> Aug  3 00:34:47 15[IKE] maximum IKE_SA lifetime 3596s
>>> Aug  3 00:34:47 15[KNL] algorithm AES_GCM_16 not supported by 
>>> kernel!
>>> Aug  3 00:34:47 15[KNL] algorithm AES_GCM_16 not supported by 
>>> kernel!
>>> Aug  3 00:34:47 15[IKE] unable to install inbound and outbound IPsec 
>>> SA (SAD) in kernel
>>> Aug  3 00:34:47 15[IKE] failed to establish CHILD_SA, keeping IKE_SA
>>> Aug  3 00:34:47 15[KNL] unable to delete SAD entry with SPI 
>>> c07a87b4: No such file or directory (2)
>>> Aug  3 00:34:47 15[KNL] unable to delete SAD entry with SPI 
>>> c653554a: No such file or directory (2)
>>> Aug  3 00:34:47 15[ENC] generating IKE_AUTH response 1 [ IDr AUTH 
>>> N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_6_ADDR) N(NO_PROP) ]
>>> Aug  3 00:34:47 15[NET] sending packet: from 10.0.30.59[4500] to 
>>> 10.0.30.109[4500] (159 bytes)
>>>
>>> I know that pfsense has moved from racoon to strongswan as their 
>>> ike-daemon, iirc mainly because of strongswans ikev2 daemon and 
>>> their GCM support. I'm going to try and have a look what changes 
>>> pfsense may have made to strongswan to support GCM on FreeBSD, 
>>> although i should probably mention, i am not very experienced at 
>>> this.
>>>
>>>
>>>> On 02 Aug 2015, at 05:53, John-Mark Gurney <jmg@funkthat.com> 
>>>> wrote:
>>>>
>>>> Sydney Meyer wrote this message on Sun, Aug 02, 2015 at 04:03 
>>>> +0200:
>>>>> i have tried your patches from your ipsecgcm branch. The build 
>>>>> completes, boots fine and indeed, dmesg shows "aesni0: 
>>>>> <AES-CBC,AES-XTS,AES-GCM,AES-ICM> on motherboard".
>>>>
>>>> Yeh, these patches are more about getting IPsec to work w/ the 
>>>> modes
>>>> that aesni now supports...
>>>>
>>>>> I'm going to try out the new cipher modes tomorrow and will get 
>>>>> back..
>>>>
>>>> Make sure you get the gnn's setkey changes in r286143 otherwise GCM
>>>> and CTR won't work...
>>>>
>>>> Thanks for doing more testing.. I've only done basic ping tests, so
>>>> passing more real traffic through would be nice...
>>>>
>>>>>> On 01 Aug 2015, at 22:01, John-Mark Gurney <jmg@funkthat.com> 
>>>>>> wrote:
>>>>>>
>>>>>> Sydney Meyer wrote this message on Wed, Jul 29, 2015 at 22:01 
>>>>>> +0200:
>>>>>>> Same here, fixed running r286015. Thanks a  bunch.
>>>>>>
>>>>>> If you'd like to do some more testing, test the patches in:
>>>>>> https://github.com/jmgurney/freebsd/tree/ipsecgcm
>>>>>>
>>>>>> These patches get GCM and CTR modes working as tested against 
>>>>>> NetBSD
>>>>>> 6.1.5...
>>>>>>
>>>>>> Hope to commit these in the next few days..
>>>>>>
>>>>>> Thanks.
>>>>>>
>>>>>>>> On 29 Jul 2015, at 14:56, Alexandr Krivulya 
>>>>>>>> <shuriku@shurik.kiev.ua> wrote:
>>>>>>>>
>>>>>>>> 29.07.2015 10:17, John-Mark Gurney ??????????:
>>>>>>>>> Alexandr Krivulya wrote this message on Thu, Jul 23, 2015 at 
>>>>>>>>> 10:38 +0300:
>>>>>>>>>
>>>>>>>>> [...]
>>>>>>>>>
>>>>>>>>>> With r285535 all works fine.
>>>>>>>>> Sydney Meyer wrote this message on Mon, Jul 27, 2015 at 23:49 
>>>>>>>>> +0200:
>>>>>>>>>> I'm having the same problem with IPSec, running -current with 
>>>>>>>>>> r285794.
>>>>>>>>>>
>>>>>>>>>> Don't know if this helps, but "netstat -s -p esp" shows 
>>>>>>>>>> packets dropped; bad ilen.
>>>>>>>>> It looks like there was an issue w/ that commit...  After 
>>>>>>>>> looking at
>>>>>>>>> the code, and working w/ gnn, I have committed r286000 which 
>>>>>>>>> fixes it
>>>>>>>>> in my test cases...
>>>>
>>>> -- 
>>>> John-Mark Gurney				Voice: +1 415 225 5579
>>>>
>>>> "All that I will do, has been done, All that I have, has not."
>>>
>>> _______________________________________________
>>> freebsd-current@freebsd.org mailing list
>>> http://lists.freebsd.org/mailman/listinfo/freebsd-current
>>> To unsubscribe, send any mail to 
>>> "freebsd-current-unsubscribe@freebsd.org"
>
> _______________________________________________
> freebsd-current@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-current
> To unsubscribe, send any mail to 
> "freebsd-current-unsubscribe@freebsd.org"