Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 10 Jul 2008 08:34:11 +0200
From:      Patrick =?ISO-8859-15?Q?Lamaizi=E8re?= <patfbsd@davenulle.org>
To:        Mike Tancsa <mike@sentex.net>
Cc:        freebsd-stable@freebsd.org
Subject:   Re: AMD Geode LX crypto accelerator (glxsb)
Message-ID:  <20080710083411.0842ba20@baby-jane-lamaiziere-net.local>
In-Reply-To: <200807091931.m69JVWej032290@lava.sentex.ca>
References:  <20080606234135.46144207@baby-jane-lamaiziere-net.local> <20080622170507.5ac469d2@baby-jane-lamaiziere-net.local> <200807091931.m69JVWej032290@lava.sentex.ca>
next in thread | previous in thread | raw e-mail | index | archive | help 

Le Wed, 09 Jul 2008 15:31:30 -0400,
Mike Tancsa <mike@sentex.net> a écrit :

> Without the module loaded, I can do something simple like
> 
> 
> # sh s
> # cat s
> MEOUTSIDE=64.x.x.x
> MEINSIDE=192.168.5.0/24
> REMOTEOUTSIDE=64.y.y.y
> REMOTEINSIDE=192.168.1.0/24
> IPSECKEY=zxzpprlNH61N11SGfrCa8dxZ
> 
> 
> setkey -c <<EOF
>          add $MEOUTSIDE $REMOTEOUTSIDE esp 1049 
> -m any -E rijndael-cbc  "$IPSECKEY";
>          add $REMOTEOUTSIDE $MEOUTSIDE esp 1049 
> -m any -E rijndael-cbc  "$IPSECKEY";
>          spdadd $MEINSIDE $REMOTEINSIDE any -P 
> out ipsec esp/tunnel/$MEOUTSIDE-$REMOTEOUTSIDE/require;
>          spdadd $REMOTEINSIDE $MEINSIDE any -P 
> in  ipsec esp/tunnel/$REMOTEOUTSIDE-$MEOUTSIDE/require;
> EOF
> 
> 
> But if I load the glxsb modules, setkey fails on the same policy.
> 
> # setkey -F
> # setkey -FP
> # setkey -DP
> No SPD entries.
> # kldload glxsb
> # dmesg | tail
> vr0: link state changed to DOWN
> vr0: link state changed to UP
> vr0: promiscuous mode enabled
> vr0: promiscuous mode disabled
> vr1: promiscuous mode enabled
> vr1: promiscuous mode disabled
> vr1: promiscuous mode enabled
> vr1: promiscuous mode disabled
> glxsb0: detached
> glxsb0: <AMD Geode LX Security Block 
> (AES-128-CBC,RNG)> mem 0xa0000000-0xa0003fff irq 10 at device 1.2 on
> pci0 # sh s
> The result of line 1: Invalid argument.
> The result of line 2: Invalid argument.
> #
> 
> What is the proper AES encryption to use for 
> IPSEC ? 

It is rijndael-cbc.

> Why is there a difference in syntax ?

I don't know. May be the key ? The length of your key is 24 characters,
it should be 16 (128 bits).

Does it work with a 128 bits key ?

My setkey setup is
flush;
spdflush;
add 192.168.1.21 192.168.1.200 esp 1011 
        -E rijndael-cbc "0123456789012345"
        -A hmac-sha1 "98765432109876543210";
add 192.168.1.200 192.168.1.21 esp 1012 
        -E rijndael-cbc "0123456789012345"
        -A hmac-sha1 "98765432109876543210";
spdadd 192.168.1.200 192.168.1.21  any -P out ipsec
esp/transport//require;
spdadd 192.168.1.21 192.168.1.200 any -P in ipsec
esp/transport//require;

Regards.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080710083411.0842ba20>