Double your key length. Probably better to switch to GCM (aes-gcm-256) and drop the separate integrity algorithm too.
Thanks, Chris. > On Oct 4, 2019, at 7:23 PM, Chuan Han via Lists.Fd.Io > <chuanhan=google....@lists.fd.io> wrote: > > Hi, > > I want to use 256 bit crypto algorithm in my ipsec config. > > I have something like this: > ipsec sa add 1 spi 255128 esp tunnel-src 10.10.10.10 tunnel-dst 10.10.10.11 > crypto-key 2b7e151628aed2a6abf7158809cf4f3d crypto-alg aes-cbc-256 integ-key > 6867666568676665686766656867666568676669 integ-alg sha1-96 > > However, it gives me an error when I start vpp. > > ipsec sa: failed > > ipsec is not configured after the failure. > > vpp# sh ipsec all > spd 1 > ip4-outbound: > ip6-outbound: > ip4-inbound-protect: > ip6-inbound-protect: > ip4-inbound-bypass: > ip6-inbound-bypass: > SPD Bindings: > 1 -> eth0 > Tunnel interfaces > vpp# > > When I change 256 to 128, everything works fine. Does this mean vpp ipsec > only supports 128 ciphers? Or, I made some stupid mistakes? > > If I want to configure 256 bit ciphers, what shall I do? > > I attached the bad cfg file with 256 bit cipher, and good cfg file with 128 > bit cipher. > > Thanks. > Chuan > <bad.cfg><good.cfg>-=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > > View/Reply Online (#14124): https://lists.fd.io/g/vpp-dev/message/14124 > Mute This Topic: https://lists.fd.io/mt/34400077/1826170 > Group Owner: vpp-dev+ow...@lists.fd.io > Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [cho...@chopps.org] > -=-=-=-=-=-=-=-=-=-=-=-
signature.asc
Description: Message signed with OpenPGP
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#14125): https://lists.fd.io/g/vpp-dev/message/14125 Mute This Topic: https://lists.fd.io/mt/34400077/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
