Appendix:
The corresponding suite is:
[AES-SHA-GRP5-RSA_SIG]
ENCRYPTION_ALGORITHM= AES_CBC
KEY_LENGTH= 256,128:256
HASH_ALGORITHM= SHA
AUTHENTICATION_METHOD= RSA_SIG
GROUP_DESCRIPTION= MODP_1536
Might it be, that this aes cipher is missing in kernel?
A man (4) crypto shows:
----------------
Depending on hardware being present, the following symmetric and asymmet-
ric cryptographic features are potentially available from /dev/crypto:
...
CRYPTO_AES_CBC
...
----------------
For IPSec I added
option IPSEC
device crypto
device cryptodev
device hifn (for hifn card)
to the kernelfile.
Do I miss something else, or what else can I do?
Regards
Ralf
"Ralf Hornik Mailings" <[EMAIL PROTECTED]> schreibte:
Dear List,
I want to switch my routers from openbsd to freebsd and use the port
of isakmpd for my
vpn tunnels. But when I want to use my config from openbsd, isakmpd
doesn't seem to
configure aes in phase I proposal.
The corresponding configentry is:
[Default-main-mode]
DOI= IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms= AES-SHA-GRP5-RSA_SIG
starting isakmpd shows up:
ike_phase_1_initiator_send_SA: section [AES-SHA-GRP5-RSA_SIG] has
unsupported attribute(s)
When I use 3des insteed, isakmpd starts without errors. But I MUST
use aes in phase I
because all remote peers use it, I cannot change them all. Has
anybody an idea, why
isakmpd won't use aes in phase I but in phase II?
Thank you and best Regards
Ralf
--
alles bleibt anders...
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
--
alles bleibt anders...
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
