On 21.11.2014 00:35, John-Mark Gurney wrote:
> As I'm about to commit my AES-GCM work, I've been trying to do
> some testing to make sure I didn't break IPsec.
>
> The first major issue I ran across was transport mode... ae@ has been
> nice enough to get ICMP working in transport mode for IPv4 and IPv6,
> but it looks like TCP is still broken. I haven't tested UDP yet...
> So, IPsec even w/o crypto is fundamentally broken here... It's clear
> that not many people run transport mode...
>
> If someone could create a good test suite that ensures makes sure basic
> IPsec traffic passes, that would be a huge win for us. The tests
> should test a complete cross product of: { tunnel, transport } x
> { TCP, UDP, ICMP, any others? } x { IPv4, IPv6 }. Please add to this
> list.I usually do tests for both transport and tunnel modes with and without gif(4)/gre(4). So, just tried between two CURRENT hosts and it works. I use racoon and isakmpd for IKE. ICMP, TCP (ssh) and UDP (ike) works for me. How do you test? Do you use software crypto or aesni? -- WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
