From owner-freebsd-stable@FreeBSD.ORG  Thu Jul 10 06:34:17 2008
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 58656106564A
	for <freebsd-stable@freebsd.org>; Thu, 10 Jul 2008 06:34:17 +0000 (UTC)
	(envelope-from patfbsd@davenulle.org)
Received: from smtp.lamaiziere.net (net.lamaiziere.net [91.121.44.19])
	by mx1.freebsd.org (Postfix) with ESMTP id 10F568FC14
	for <freebsd-stable@freebsd.org>; Thu, 10 Jul 2008 06:34:16 +0000 (UTC)
	(envelope-from patfbsd@davenulle.org)
Received: from baby-jane.lamaiziere.net (27.6.192-77.rev.gaoland.net
	[77.192.6.27])
	by smtp.lamaiziere.net (Postfix) with ESMTPA id 950E2633655;
	Thu, 10 Jul 2008 08:33:31 +0200 (CEST)
Received: from baby-jane-lamaiziere-net.local (localhost [127.0.0.1])
	by baby-jane.lamaiziere.net (Postfix) with ESMTP id 4DE9056247B;
	Thu, 10 Jul 2008 08:34:13 +0200 (CEST)
Date: Thu, 10 Jul 2008 08:34:11 +0200
From: Patrick =?ISO-8859-15?Q?Lamaizi=E8re?= <patfbsd@davenulle.org>
To: Mike Tancsa <mike@sentex.net>
Message-ID: <20080710083411.0842ba20@baby-jane-lamaiziere-net.local>
In-Reply-To: <200807091931.m69JVWej032290@lava.sentex.ca>
References: <20080606234135.46144207@baby-jane-lamaiziere-net.local>
	<20080622170507.5ac469d2@baby-jane-lamaiziere-net.local>
	<200807091931.m69JVWej032290@lava.sentex.ca>
Organization: /dave/nulle
X-Mailer: Claws Mail 3.3.1 (GTK+ 2.12.9; i386-apple-darwin9.3.0)
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-15
Content-Transfer-Encoding: 8bit
Cc: freebsd-stable@freebsd.org
Subject: Re: AMD Geode LX crypto accelerator (glxsb)
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Jul 2008 06:34:17 -0000

Le Wed, 09 Jul 2008 15:31:30 -0400,
Mike Tancsa <mike@sentex.net> a écrit :

> Without the module loaded, I can do something simple like
> 
> 
> # sh s
> # cat s
> MEOUTSIDE=64.x.x.x
> MEINSIDE=192.168.5.0/24
> REMOTEOUTSIDE=64.y.y.y
> REMOTEINSIDE=192.168.1.0/24
> IPSECKEY=zxzpprlNH61N11SGfrCa8dxZ
> 
> 
> setkey -c <<EOF
>          add $MEOUTSIDE $REMOTEOUTSIDE esp 1049 
> -m any -E rijndael-cbc  "$IPSECKEY";
>          add $REMOTEOUTSIDE $MEOUTSIDE esp 1049 
> -m any -E rijndael-cbc  "$IPSECKEY";
>          spdadd $MEINSIDE $REMOTEINSIDE any -P 
> out ipsec esp/tunnel/$MEOUTSIDE-$REMOTEOUTSIDE/require;
>          spdadd $REMOTEINSIDE $MEINSIDE any -P 
> in  ipsec esp/tunnel/$REMOTEOUTSIDE-$MEOUTSIDE/require;
> EOF
> 
> 
> But if I load the glxsb modules, setkey fails on the same policy.
> 
> # setkey -F
> # setkey -FP
> # setkey -DP
> No SPD entries.
> # kldload glxsb
> # dmesg | tail
> vr0: link state changed to DOWN
> vr0: link state changed to UP
> vr0: promiscuous mode enabled
> vr0: promiscuous mode disabled
> vr1: promiscuous mode enabled
> vr1: promiscuous mode disabled
> vr1: promiscuous mode enabled
> vr1: promiscuous mode disabled
> glxsb0: detached
> glxsb0: <AMD Geode LX Security Block 
> (AES-128-CBC,RNG)> mem 0xa0000000-0xa0003fff irq 10 at device 1.2 on
> pci0 # sh s
> The result of line 1: Invalid argument.
> The result of line 2: Invalid argument.
> #
> 
> What is the proper AES encryption to use for 
> IPSEC ? 

It is rijndael-cbc.

> Why is there a difference in syntax ?

I don't know. May be the key ? The length of your key is 24 characters,
it should be 16 (128 bits).

Does it work with a 128 bits key ?

My setkey setup is
flush;
spdflush;
add 192.168.1.21 192.168.1.200 esp 1011 
        -E rijndael-cbc "0123456789012345"
        -A hmac-sha1 "98765432109876543210";
add 192.168.1.200 192.168.1.21 esp 1012 
        -E rijndael-cbc "0123456789012345"
        -A hmac-sha1 "98765432109876543210";
spdadd 192.168.1.200 192.168.1.21  any -P out ipsec
esp/transport//require;
spdadd 192.168.1.21 192.168.1.200 any -P in ipsec
esp/transport//require;

Regards.