double key size does not work. ipsec sa add 1 spi 255128 esp tunnel-src 10.10.10.10 tunnel-dst 10.10.10.11 crypto-key A11E51E5B111 crypto-alg aes-gcm-256 ipsec sa add 2 spi 255129 esp tunnel-src 10.10.10.11 tunnel-dst 10.10.10.10 crypto-key A11E51E5B111 crypto-alg aes-gcm-256
I got the following errors: 000:41:02.7 --master-lcore 2 host-veth1 ipsec sa: failed The full config is as follows: set int state eth0 up set int ip address eth0 10.10.10.10/24 set int promiscuous on eth0 set ip arp eth0 10.10.10.11 b4:96:91:23:1e:d6 create host-interface name veth1 set int state host-veth1 up set int ip address host-veth1 172.16.1.1/24 set ip arp host-veth1 172.16.1.2 d6:4b:87:30:6a:60 ip route add 172.16.2.2/24 via 10.10.10.11 eth0 ipsec spd add 1 set interface ipsec spd eth0 1 ipsec sa add 1 spi 255128 esp tunnel-src 10.10.10.10 tunnel-dst 10.10.10.11 crypto-key A11E51E5B111 crypto-alg aes-gcm-256 ipsec sa add 2 spi 255129 esp tunnel-src 10.10.10.11 tunnel-dst 10.10.10.10 crypto-key A11E51E5B111 crypto-alg aes-gcm-256 ipsec policy add spd 1 outbound priority 90 protocol 50 action bypass local-ip-range 0.0.0.0-255.255.255.255 remote-ip-range 0.0.0.0-255.255.255.255 ipsec policy add spd 1 inbound priority 90 protocol 50 action bypass local-ip-range 0.0.0.0-255.255.255.255 remote-ip-range 0.0.0.0-255.255.255.255 ipsec policy add spd 1 priority 10 inbound action protect sa 2 local-ip-range 0.0.0.0-255.255.255.255 remote-ip-range 172.16.2.1-172.16.2.255 ipsec policy add spd 1 priority 10 outbound action protect sa 1 local-ip-range 0.0.0.0-255.255.255.255 remote-ip-range 172.16.2.1-172.16.2.255 On Fri, Oct 4, 2019 at 7:52 PM Christian Hopps <cho...@chopps.org> wrote: > Double your key length. Probably better to switch to GCM (aes-gcm-256) and > drop the separate integrity algorithm too. > > Thanks, > Chris. > > > On Oct 4, 2019, at 7:23 PM, Chuan Han via Lists.Fd.Io <chuanhan= > google....@lists.fd.io> wrote: > > > > Hi, > > > > I want to use 256 bit crypto algorithm in my ipsec config. > > > > I have something like this: > > ipsec sa add 1 spi 255128 esp tunnel-src 10.10.10.10 tunnel-dst > 10.10.10.11 crypto-key 2b7e151628aed2a6abf7158809cf4f3d crypto-alg > aes-cbc-256 integ-key 6867666568676665686766656867666568676669 integ-alg > sha1-96 > > > > However, it gives me an error when I start vpp. > > > > ipsec sa: failed > > > > ipsec is not configured after the failure. > > > > vpp# sh ipsec all > > spd 1 > > ip4-outbound: > > ip6-outbound: > > ip4-inbound-protect: > > ip6-inbound-protect: > > ip4-inbound-bypass: > > ip6-inbound-bypass: > > SPD Bindings: > > 1 -> eth0 > > Tunnel interfaces > > vpp# > > > > When I change 256 to 128, everything works fine. Does this mean vpp > ipsec only supports 128 ciphers? Or, I made some stupid mistakes? > > > > If I want to configure 256 bit ciphers, what shall I do? > > > > I attached the bad cfg file with 256 bit cipher, and good cfg file with > 128 bit cipher. > > > > Thanks. > > Chuan > > <bad.cfg><good.cfg>-=-=-=-=-=-=-=-=-=-=-=- > > Links: You receive all messages sent to this group. > > > > View/Reply Online (#14124): https://lists.fd.io/g/vpp-dev/message/14124 > > Mute This Topic: https://lists.fd.io/mt/34400077/1826170 > > Group Owner: vpp-dev+ow...@lists.fd.io > > Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [cho...@chopps.org] > > -=-=-=-=-=-=-=-=-=-=-=- > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#14127): https://lists.fd.io/g/vpp-dev/message/14127 Mute This Topic: https://lists.fd.io/mt/34400077/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
