From owner-freebsd-current@freebsd.org Thu Aug 6 04:47:49 2015 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2599B9B407D for ; Thu, 6 Aug 2015 04:47:49 +0000 (UTC) (envelope-from meyer.sydney@googlemail.com) Received: from mail-wi0-x230.google.com (mail-wi0-x230.google.com [IPv6:2a00:1450:400c:c05::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id A1DB9CDE for ; Thu, 6 Aug 2015 04:47:48 +0000 (UTC) (envelope-from meyer.sydney@googlemail.com) Received: by wicgj17 with SMTP id gj17so6827229wic.1 for ; Wed, 05 Aug 2015 21:47:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date :content-transfer-encoding:message-id:references:to; bh=6uvZ6aPA3NtbtiqZCCxC5ITT+6LSbgana2gnWihqaMk=; b=rrdJvtjvxYLsPNjWARpbwS6wbPV8Q/R9Y8bkMgdDmDSUgi04jBiXz496lpRlzhlt9v rmegwz0dwfbbsJIoHBLBJlKaXOwccoTRmvOgMA2QeAcrw3QRBCLzbCncxwjKqGbmrD7L u9BoYLpH7f5oIpwip3jU99XUcQAxCabbx9K33NDopn6U/ntiLIDd3oW43McepcRQYgd/ wn9QXmumiUciF8b+8sjuQHTirnXXNMlnpDsRkXNSVP7lPv/uGuwVluq3fdnF9XNRThSe jGuO16nImRopzPwBeGv3sLfhB0q44Ujk3cAJulGG4yq4Q3r7cnhQkINcrPZrM7+DGw3T VAvA== X-Received: by 10.194.191.164 with SMTP id gz4mr27317480wjc.21.1438836466260; Wed, 05 Aug 2015 21:47:46 -0700 (PDT) Received: from ?IPv6:2a02:a03f:aff:5c00:5911:3183:30f0:2e54? ([2a02:a03f:aff:5c00:5911:3183:30f0:2e54]) by smtp.googlemail.com with ESMTPSA id p1sm3892454wjq.28.2015.08.05.21.47.45 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 05 Aug 2015 21:47:45 -0700 (PDT) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 9.0 \(3075\)) Subject: Re: IPSEC stop works after r285336 From: Sydney Meyer In-Reply-To: <2A67BE23-CBA2-4AD6-A8EB-7D3DB7B56760@neville-neil.com> Date: Thu, 6 Aug 2015 06:47:44 +0200 Content-Transfer-Encoding: quoted-printable Message-Id: References: <20150729071732.GA78154@funkthat.com> <55B8CD6C.7080804@shurik.kiev.ua> <18D9D532-15B2-4B30-B088-74E7E4566254@googlemail.com> <20150801200137.GK78154@funkthat.com> <422BE6C0-B106-44E2-927A-7AE04885251F@googlemail.com> <20150802035359.GO78154@funkthat.com> <3D37A596-CC4A-446C-BBE7-27DC9DC7E1F7@neville-neil.com> <2A67BE23-CBA2-4AD6-A8EB-7D3DB7B56760@neville-neil.com> To: FreeBSD CURRENT X-Mailer: Apple Mail (2.3075) X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Aug 2015 04:47:49 -0000 Hello George, sorry for the late reply. I wasn't benchmarking/testing anything = specific, i'm just interested in FreeBSD for virtual networking (router, = packet filter, ipsec-gateway, etc.) since the addition of XENHVM and = more recently IPSEC. (Network) Benchmarking a virtual environment is a topic (as with = benchmarking in general, as i have learned also from your talk at bsdcon = '15 :), where one can do many things wrong, so for now i've decided that = i need to read more about the topic, before i can supply useable results = or bug reports, which do not stem from = misinterpretation/misconfiguration. When i do actual testing, i will include netperf and let you know the = specs, configs and results. > On 04 Aug 2015, at 17:21, George Neville-Neil = wrote: >=20 > Two things you might do to help. >=20 > The first is just send out a list of what you are testing so we know. >=20 > The second is to contribute configs and the like to the netperf repo >=20 > https://github.com/gvnn3/netperf >=20 > We take pull requests :-) >=20 > Best, > George >=20 > On 3 Aug 2015, at 23:20, Sydney Meyer wrote: >=20 >> Besides strongswan (actually, i don't know of any other ike-daemon = which supports aes-gcm, apart from netbsd's racoon) connections with = manually set up policies indeed seem to work fine, host-host iperf = stuff, nothing fancy yet. >>=20 >> Anyway, i will start playing around with this in some more scenarios = and let you guys know if i come around any problems. >>=20 >> If you would like me to test something specific, please let me know = if i can help. >>=20 >> Cheers, >> S. >>=20 >>> On 03 Aug 2015, at 18:23, George Neville-Neil = wrote: >>>=20 >>> This is being actively debugged and jmg@ and I have been testing a = fix that should >>> address this issue. >>>=20 >>> Best, >>> George >>>=20 >>>=20 >>> On 3 Aug 2015, at 0:15, Sydney Meyer wrote: >>>=20 >>>> Hi John-Mark, >>>>=20 >>>> the revision i built included gnn's patches to setkey already. >>>>=20 >>>> I have tried to setup a tunnel using strongswan with gcm as esp = cipher mode, but the connection fails with "algorithm AES_GCM_16 not = supported by kernel".. >>>>=20 >>>> Here's the full log output: >>>>=20 >>>> Aug 3 00:34:28 00[DMN] Starting IKE charon daemon (strongSwan = 5.3.2, FreeBSD 11.0-CURRENT, amd64) >>>> Aug 3 00:34:28 00[KNL] unable to set UDP_ENCAP: Invalid argument >>>> Aug 3 00:34:28 00[NET] enabling UDP decapsulation for IPv6 on port = 4500 failed >>>> Aug 3 00:34:28 00[KNL] unable to set UDP_ENCAP: Invalid argument >>>> Aug 3 00:34:28 00[NET] enabling UDP decapsulation for IPv4 on port = 4500 failed >>>> Aug 3 00:34:28 00[CFG] loading ca certificates from = '/usr/local/etc/ipsec.d/cacerts' >>>> Aug 3 00:34:28 00[CFG] loading aa certificates from = '/usr/local/etc/ipsec.d/aacerts' >>>> Aug 3 00:34:28 00[CFG] loading ocsp signer certificates from = '/usr/local/etc/ipsec.d/ocspcerts' >>>> Aug 3 00:34:28 00[CFG] loading attribute certificates from = '/usr/local/etc/ipsec.d/acerts' >>>> Aug 3 00:34:28 00[CFG] loading crls from = '/usr/local/etc/ipsec.d/crls' >>>> Aug 3 00:34:28 00[CFG] loading secrets from = '/usr/local/etc/ipsec.secrets' >>>> Aug 3 00:34:28 00[CFG] loaded IKE secret for = @moon.strongswan.org @sun.strongswan.org >>>> Aug 3 00:34:28 00[LIB] loaded plugins: charon aes des blowfish rc2 = sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 = pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf xcbc cmac hmac = gcm attr kernel-pfkey kernel-pfroute resolve socket-default stroke = updown eap-identity eap-md5 eap-mschapv2 eap-tls eap-ttls eap-peap = xauth-generic whitelist addrblock >>>> Aug 3 00:34:28 00[JOB] spawning 16 worker threads >>>> Aug 3 00:34:28 15[CFG] received stroke: add connection 'host-host' >>>> Aug 3 00:34:28 15[CFG] added configuration 'host-host' >>>> Aug 3 00:34:47 15[NET] received packet: from 10.0.30.109[500] to = 10.0.30.59[500] (448 bytes) >>>> Aug 3 00:34:47 15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No = N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ] >>>> Aug 3 00:34:47 15[IKE] 10.0.30.109 is initiating an IKE_SA >>>> Aug 3 00:34:47 15[ENC] generating IKE_SA_INIT response 0 [ SA KE = No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(MULT_AUTH) ] >>>> Aug 3 00:34:47 15[NET] sending packet: from 10.0.30.59[500] to = 10.0.30.109[500] (448 bytes) >>>> Aug 3 00:34:47 15[NET] received packet: from 10.0.30.109[4500] to = 10.0.30.59[4500] (282 bytes) >>>> Aug 3 00:34:47 15[ENC] parsed IKE_AUTH request 1 [ IDi = N(INIT_CONTACT) IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) = N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) ] >>>> Aug 3 00:34:47 15[CFG] looking for peer configs matching = 10.0.30.59[sun.strongswan.org]...10.0.30.109[moon.strongswan.org] >>>> Aug 3 00:34:47 15[CFG] selected peer config 'host-host' >>>> Aug 3 00:34:47 15[IKE] authentication of 'moon.strongswan.org' = with pre-shared key successful >>>> Aug 3 00:34:47 15[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not = using ESPv3 TFC padding >>>> Aug 3 00:34:47 15[IKE] peer supports MOBIKE >>>> Aug 3 00:34:47 15[IKE] authentication of 'sun.strongswan.org' = (myself) with pre-shared key >>>> Aug 3 00:34:47 15[IKE] IKE_SA host-host[1] established between = 10.0.30.59[sun.strongswan.org]...10.0.30.109[moon.strongswan.org] >>>> Aug 3 00:34:47 15[IKE] scheduling reauthentication in 3416s >>>> Aug 3 00:34:47 15[IKE] maximum IKE_SA lifetime 3596s >>>> Aug 3 00:34:47 15[KNL] algorithm AES_GCM_16 not supported by = kernel! >>>> Aug 3 00:34:47 15[KNL] algorithm AES_GCM_16 not supported by = kernel! >>>> Aug 3 00:34:47 15[IKE] unable to install inbound and outbound = IPsec SA (SAD) in kernel >>>> Aug 3 00:34:47 15[IKE] failed to establish CHILD_SA, keeping = IKE_SA >>>> Aug 3 00:34:47 15[KNL] unable to delete SAD entry with SPI = c07a87b4: No such file or directory (2) >>>> Aug 3 00:34:47 15[KNL] unable to delete SAD entry with SPI = c653554a: No such file or directory (2) >>>> Aug 3 00:34:47 15[ENC] generating IKE_AUTH response 1 [ IDr AUTH = N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_6_ADDR) N(NO_PROP) ] >>>> Aug 3 00:34:47 15[NET] sending packet: from 10.0.30.59[4500] to = 10.0.30.109[4500] (159 bytes) >>>>=20 >>>> I know that pfsense has moved from racoon to strongswan as their = ike-daemon, iirc mainly because of strongswans ikev2 daemon and their = GCM support. I'm going to try and have a look what changes pfsense may = have made to strongswan to support GCM on FreeBSD, although i should = probably mention, i am not very experienced at this. >>>>=20 >>>>=20 >>>>> On 02 Aug 2015, at 05:53, John-Mark Gurney = wrote: >>>>>=20 >>>>> Sydney Meyer wrote this message on Sun, Aug 02, 2015 at 04:03 = +0200: >>>>>> i have tried your patches from your ipsecgcm branch. The build = completes, boots fine and indeed, dmesg shows "aesni0: = on motherboard". >>>>>=20 >>>>> Yeh, these patches are more about getting IPsec to work w/ the = modes >>>>> that aesni now supports... >>>>>=20 >>>>>> I'm going to try out the new cipher modes tomorrow and will get = back.. >>>>>=20 >>>>> Make sure you get the gnn's setkey changes in r286143 otherwise = GCM >>>>> and CTR won't work... >>>>>=20 >>>>> Thanks for doing more testing.. I've only done basic ping tests, = so >>>>> passing more real traffic through would be nice... >>>>>=20 >>>>>>> On 01 Aug 2015, at 22:01, John-Mark Gurney = wrote: >>>>>>>=20 >>>>>>> Sydney Meyer wrote this message on Wed, Jul 29, 2015 at 22:01 = +0200: >>>>>>>> Same here, fixed running r286015. Thanks a bunch. >>>>>>>=20 >>>>>>> If you'd like to do some more testing, test the patches in: >>>>>>> https://github.com/jmgurney/freebsd/tree/ipsecgcm >>>>>>>=20 >>>>>>> These patches get GCM and CTR modes working as tested against = NetBSD >>>>>>> 6.1.5... >>>>>>>=20 >>>>>>> Hope to commit these in the next few days.. >>>>>>>=20 >>>>>>> Thanks. >>>>>>>=20 >>>>>>>>> On 29 Jul 2015, at 14:56, Alexandr Krivulya = wrote: >>>>>>>>>=20 >>>>>>>>> 29.07.2015 10:17, John-Mark Gurney ??????????: >>>>>>>>>> Alexandr Krivulya wrote this message on Thu, Jul 23, 2015 at = 10:38 +0300: >>>>>>>>>>=20 >>>>>>>>>> [...] >>>>>>>>>>=20 >>>>>>>>>>> With r285535 all works fine. >>>>>>>>>> Sydney Meyer wrote this message on Mon, Jul 27, 2015 at 23:49 = +0200: >>>>>>>>>>> I'm having the same problem with IPSec, running -current = with r285794. >>>>>>>>>>>=20 >>>>>>>>>>> Don't know if this helps, but "netstat -s -p esp" shows = packets dropped; bad ilen. >>>>>>>>>> It looks like there was an issue w/ that commit... After = looking at >>>>>>>>>> the code, and working w/ gnn, I have committed r286000 which = fixes it >>>>>>>>>> in my test cases... >>>>>=20 >>>>> --=20 >>>>> John-Mark Gurney Voice: +1 415 225 5579 >>>>>=20 >>>>> "All that I will do, has been done, All that I have, has not." >>>>=20 >>>> _______________________________________________ >>>> freebsd-current@freebsd.org mailing list >>>> http://lists.freebsd.org/mailman/listinfo/freebsd-current >>>> To unsubscribe, send any mail to = "freebsd-current-unsubscribe@freebsd.org" >>=20 >> _______________________________________________ >> freebsd-current@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-current >> To unsubscribe, send any mail to = "freebsd-current-unsubscribe@freebsd.org"