On 27/11/2017 06:15, Peter G. wrote: > Hi, can somebody please show me the correct syntax of setting static SA > with aes-xcbc-mac authentication? I checked rfc3566, my "base" > encryption algo is aes-128, aes-xcbc-mac is supposed to work with a > 128-bit (16 characters) long key. I don't seem to be able to set it up, > though. > > Example (aes-cbc 128bit + supposedly aes-xcbc-mac): > > add 10.10.1.1 10.10.2.2 esp 400 -m transport -u 400 -E rijndael-cbc > "abcdefghijklmnop" -A aes-xcbc-mac "1234567890123456"; > > ends up in an error: > > line 5: Not supported at [1234567890123456] > parse failed, line 5. > > The same syntax and appropriate key length work with anything else, e.g. > hmac-sha2-256 with 32 character long key works just fine. >
Oh, I am on 11.1. I've found two docs which clearly make this possible: Firstly, a blog entry in Japanese: https://moimoitei.blogspot.com/2009/10/measure-ipsec-throughput.html Secondly, some company's paper on some of their tech (not really important), but usage of -E aes-ctr with -A aes-xcbc-mac is listed as an option, page 20: http://www.lobaro.com/download/6lowpan/ZWIR45xx_AN_Security_Rev_1_30.pdf I've also reviewed evolution of aes support for cryptodev, e.g. starting here: https://reviews.freebsd.org/D2566 and all the source files related to either setkey (for example sbin/setkey/token.l) or opencrypto in the sources list or at least note aes-xcbc-mac availability. Does anybody know how to get this working? Or does this mean there's no actual kernel support for aes-xcbc-mac? Thanks! PG _______________________________________________ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
