A11E51E5B111 is from one of the online examples for gcm 256. 2b7e151628aed2a6abf7158809cf4f3d2b7e151628aed2a6abf7158809cf4f3d works.
Thanks for catching the mistakes. On Sun, Oct 6, 2019 at 6:28 PM Christian Hopps <cho...@chopps.org> wrote: > So you had: crypto-key 2b7e151628aed2a6abf7158809cf4f3d > Now you "doubled" it and got: crypto-key A11E51E5B111 > > ? :) > > Try crypto-key > 2b7e151628aed2a6abf7158809cf4f3d2b7e151628aed2a6abf7158809cf4f3d > > A 128 bit algorithm needs a 16 byte key (128b=16B) a 265 bit algorithm > needs a 32B key (256b=32B) > > Thanks, > Chris. > > > On Oct 6, 2019, at 6:57 PM, Chuan Han <chuan...@google.com> wrote: > > > > double key size does not work. > > > > ipsec sa add 1 spi 255128 esp tunnel-src 10.10.10.10 tunnel-dst > 10.10.10.11 crypto-key A11E51E5B111 crypto-alg aes-gcm-256 > > ipsec sa add 2 spi 255129 esp tunnel-src 10.10.10.11 tunnel-dst > 10.10.10.10 crypto-key A11E51E5B111 crypto-alg aes-gcm-256 > > > > I got the following errors: > > > > 000:41:02.7 --master-lcore 2 > > host-veth1 > > ipsec sa: failed > > > > The full config is as follows: > > > > set int state eth0 up > > set int ip address eth0 10.10.10.10/24 > > > > set int promiscuous on eth0 > > > > set ip arp eth0 10.10.10.11 b4:96:91:23:1e:d6 > > > > create host-interface name veth1 > > set int state host-veth1 up > > set int ip address host-veth1 172.16.1.1/24 > > set ip arp host-veth1 172.16.1.2 d6:4b:87:30:6a:60 > > > > > > ip route add 172.16.2.2/24 via 10.10.10.11 eth0 > > > > > > ipsec spd add 1 > > set interface ipsec spd eth0 1 > > > > ipsec sa add 1 spi 255128 esp tunnel-src 10.10.10.10 tunnel-dst > 10.10.10.11 crypto-key A11E51E5B111 crypto-alg aes-gcm-256 > > ipsec sa add 2 spi 255129 esp tunnel-src 10.10.10.11 tunnel-dst > 10.10.10.10 crypto-key A11E51E5B111 crypto-alg aes-gcm-256 > > > > ipsec policy add spd 1 outbound priority 90 protocol 50 action bypass > local-ip-range 0.0.0.0-255.255.255.255 remote-ip-range > 0.0.0.0-255.255.255.255 > > ipsec policy add spd 1 inbound priority 90 protocol 50 action bypass > local-ip-range 0.0.0.0-255.255.255.255 remote-ip-range > 0.0.0.0-255.255.255.255 > > > > ipsec policy add spd 1 priority 10 inbound action protect sa 2 > local-ip-range 0.0.0.0-255.255.255.255 remote-ip-range > 172.16.2.1-172.16.2.255 > > ipsec policy add spd 1 priority 10 outbound action protect sa 1 > local-ip-range 0.0.0.0-255.255.255.255 remote-ip-range > 172.16.2.1-172.16.2.255 > > > > On Fri, Oct 4, 2019 at 7:52 PM Christian Hopps <cho...@chopps.org> > wrote: > > Double your key length. Probably better to switch to GCM (aes-gcm-256) > and drop the separate integrity algorithm too. > > > > Thanks, > > Chris. > > > > > On Oct 4, 2019, at 7:23 PM, Chuan Han via Lists.Fd.Io <chuanhan= > google....@lists.fd.io> wrote: > > > > > > Hi, > > > > > > I want to use 256 bit crypto algorithm in my ipsec config. > > > > > > I have something like this: > > > ipsec sa add 1 spi 255128 esp tunnel-src 10.10.10.10 tunnel-dst > 10.10.10.11 crypto-key 2b7e151628aed2a6abf7158809cf4f3d crypto-alg > aes-cbc-256 integ-key 6867666568676665686766656867666568676669 integ-alg > sha1-96 > > > > > > However, it gives me an error when I start vpp. > > > > > > ipsec sa: failed > > > > > > ipsec is not configured after the failure. > > > > > > vpp# sh ipsec all > > > spd 1 > > > ip4-outbound: > > > ip6-outbound: > > > ip4-inbound-protect: > > > ip6-inbound-protect: > > > ip4-inbound-bypass: > > > ip6-inbound-bypass: > > > SPD Bindings: > > > 1 -> eth0 > > > Tunnel interfaces > > > vpp# > > > > > > When I change 256 to 128, everything works fine. Does this mean vpp > ipsec only supports 128 ciphers? Or, I made some stupid mistakes? > > > > > > If I want to configure 256 bit ciphers, what shall I do? > > > > > > I attached the bad cfg file with 256 bit cipher, and good cfg file > with 128 bit cipher. > > > > > > Thanks. > > > Chuan > > > <bad.cfg><good.cfg>-=-=-=-=-=-=-=-=-=-=-=- > > > Links: You receive all messages sent to this group. > > > > > > View/Reply Online (#14124): > https://lists.fd.io/g/vpp-dev/message/14124 > > > Mute This Topic: https://lists.fd.io/mt/34400077/1826170 > > > Group Owner: vpp-dev+ow...@lists.fd.io > > > Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [cho...@chopps.org] > > > -=-=-=-=-=-=-=-=-=-=-=- > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#14129): https://lists.fd.io/g/vpp-dev/message/14129 Mute This Topic: https://lists.fd.io/mt/34400077/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
