Two things you might do to help. The first is just send out a list of what you are testing so we know. The second is to contribute configs and the like to the netperf repo https://github.com/gvnn3/netperf We take pull requests :-) Best, George On 3 Aug 2015, at 23:20, Sydney Meyer wrote: > Besides strongswan (actually, i don't know of any other ike-daemon > which supports aes-gcm, apart from netbsd's racoon) connections with > manually set up policies indeed seem to work fine, host-host iperf > stuff, nothing fancy yet. > > Anyway, i will start playing around with this in some more scenarios > and let you guys know if i come around any problems. > > If you would like me to test something specific, please let me know if > i can help. > > Cheers, > S. > >> On 03 Aug 2015, at 18:23, George Neville-Neil <gnn_at_neville-neil.com> >> wrote: >> >> This is being actively debugged and jmg_at_ and I have been testing a >> fix that should >> address this issue. >> >> Best, >> George >> >> >> On 3 Aug 2015, at 0:15, Sydney Meyer wrote: >> >>> Hi John-Mark, >>> >>> the revision i built included gnn's patches to setkey already. >>> >>> I have tried to setup a tunnel using strongswan with gcm as esp >>> cipher mode, but the connection fails with "algorithm AES_GCM_16 not >>> supported by kernel".. >>> >>> Here's the full log output: >>> >>> Aug 3 00:34:28 00[DMN] Starting IKE charon daemon (strongSwan >>> 5.3.2, FreeBSD 11.0-CURRENT, amd64) >>> Aug 3 00:34:28 00[KNL] unable to set UDP_ENCAP: Invalid argument >>> Aug 3 00:34:28 00[NET] enabling UDP decapsulation for IPv6 on port >>> 4500 failed >>> Aug 3 00:34:28 00[KNL] unable to set UDP_ENCAP: Invalid argument >>> Aug 3 00:34:28 00[NET] enabling UDP decapsulation for IPv4 on port >>> 4500 failed >>> Aug 3 00:34:28 00[CFG] loading ca certificates from >>> '/usr/local/etc/ipsec.d/cacerts' >>> Aug 3 00:34:28 00[CFG] loading aa certificates from >>> '/usr/local/etc/ipsec.d/aacerts' >>> Aug 3 00:34:28 00[CFG] loading ocsp signer certificates from >>> '/usr/local/etc/ipsec.d/ocspcerts' >>> Aug 3 00:34:28 00[CFG] loading attribute certificates from >>> '/usr/local/etc/ipsec.d/acerts' >>> Aug 3 00:34:28 00[CFG] loading crls from >>> '/usr/local/etc/ipsec.d/crls' >>> Aug 3 00:34:28 00[CFG] loading secrets from >>> '/usr/local/etc/ipsec.secrets' >>> Aug 3 00:34:28 00[CFG] loaded IKE secret for _at_moon.strongswan.org >>> _at_sun.strongswan.org >>> Aug 3 00:34:28 00[LIB] loaded plugins: charon aes des blowfish rc2 >>> sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey >>> pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf xcbc >>> cmac hmac gcm attr kernel-pfkey kernel-pfroute resolve >>> socket-default stroke updown eap-identity eap-md5 eap-mschapv2 >>> eap-tls eap-ttls eap-peap xauth-generic whitelist addrblock >>> Aug 3 00:34:28 00[JOB] spawning 16 worker threads >>> Aug 3 00:34:28 15[CFG] received stroke: add connection 'host-host' >>> Aug 3 00:34:28 15[CFG] added configuration 'host-host' >>> Aug 3 00:34:47 15[NET] received packet: from 10.0.30.109[500] to >>> 10.0.30.59[500] (448 bytes) >>> Aug 3 00:34:47 15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No >>> N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ] >>> Aug 3 00:34:47 15[IKE] 10.0.30.109 is initiating an IKE_SA >>> Aug 3 00:34:47 15[ENC] generating IKE_SA_INIT response 0 [ SA KE No >>> N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(MULT_AUTH) ] >>> Aug 3 00:34:47 15[NET] sending packet: from 10.0.30.59[500] to >>> 10.0.30.109[500] (448 bytes) >>> Aug 3 00:34:47 15[NET] received packet: from 10.0.30.109[4500] to >>> 10.0.30.59[4500] (282 bytes) >>> Aug 3 00:34:47 15[ENC] parsed IKE_AUTH request 1 [ IDi >>> N(INIT_CONTACT) IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) >>> N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) ] >>> Aug 3 00:34:47 15[CFG] looking for peer configs matching >>> 10.0.30.59[sun.strongswan.org]...10.0.30.109[moon.strongswan.org] >>> Aug 3 00:34:47 15[CFG] selected peer config 'host-host' >>> Aug 3 00:34:47 15[IKE] authentication of 'moon.strongswan.org' with >>> pre-shared key successful >>> Aug 3 00:34:47 15[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not >>> using ESPv3 TFC padding >>> Aug 3 00:34:47 15[IKE] peer supports MOBIKE >>> Aug 3 00:34:47 15[IKE] authentication of 'sun.strongswan.org' >>> (myself) with pre-shared key >>> Aug 3 00:34:47 15[IKE] IKE_SA host-host[1] established between >>> 10.0.30.59[sun.strongswan.org]...10.0.30.109[moon.strongswan.org] >>> Aug 3 00:34:47 15[IKE] scheduling reauthentication in 3416s >>> Aug 3 00:34:47 15[IKE] maximum IKE_SA lifetime 3596s >>> Aug 3 00:34:47 15[KNL] algorithm AES_GCM_16 not supported by >>> kernel! >>> Aug 3 00:34:47 15[KNL] algorithm AES_GCM_16 not supported by >>> kernel! >>> Aug 3 00:34:47 15[IKE] unable to install inbound and outbound IPsec >>> SA (SAD) in kernel >>> Aug 3 00:34:47 15[IKE] failed to establish CHILD_SA, keeping IKE_SA >>> Aug 3 00:34:47 15[KNL] unable to delete SAD entry with SPI >>> c07a87b4: No such file or directory (2) >>> Aug 3 00:34:47 15[KNL] unable to delete SAD entry with SPI >>> c653554a: No such file or directory (2) >>> Aug 3 00:34:47 15[ENC] generating IKE_AUTH response 1 [ IDr AUTH >>> N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_6_ADDR) N(NO_PROP) ] >>> Aug 3 00:34:47 15[NET] sending packet: from 10.0.30.59[4500] to >>> 10.0.30.109[4500] (159 bytes) >>> >>> I know that pfsense has moved from racoon to strongswan as their >>> ike-daemon, iirc mainly because of strongswans ikev2 daemon and >>> their GCM support. I'm going to try and have a look what changes >>> pfsense may have made to strongswan to support GCM on FreeBSD, >>> although i should probably mention, i am not very experienced at >>> this. >>> >>> >>>> On 02 Aug 2015, at 05:53, John-Mark Gurney <jmg_at_funkthat.com> >>>> wrote: >>>> >>>> Sydney Meyer wrote this message on Sun, Aug 02, 2015 at 04:03 >>>> +0200: >>>>> i have tried your patches from your ipsecgcm branch. The build >>>>> completes, boots fine and indeed, dmesg shows "aesni0: >>>>> <AES-CBC,AES-XTS,AES-GCM,AES-ICM> on motherboard". >>>> >>>> Yeh, these patches are more about getting IPsec to work w/ the >>>> modes >>>> that aesni now supports... >>>> >>>>> I'm going to try out the new cipher modes tomorrow and will get >>>>> back.. >>>> >>>> Make sure you get the gnn's setkey changes in r286143 otherwise GCM >>>> and CTR won't work... >>>> >>>> Thanks for doing more testing.. I've only done basic ping tests, so >>>> passing more real traffic through would be nice... >>>> >>>>>> On 01 Aug 2015, at 22:01, John-Mark Gurney <jmg_at_funkthat.com> >>>>>> wrote: >>>>>> >>>>>> Sydney Meyer wrote this message on Wed, Jul 29, 2015 at 22:01 >>>>>> +0200: >>>>>>> Same here, fixed running r286015. Thanks a bunch. >>>>>> >>>>>> If you'd like to do some more testing, test the patches in: >>>>>> https://github.com/jmgurney/freebsd/tree/ipsecgcm >>>>>> >>>>>> These patches get GCM and CTR modes working as tested against >>>>>> NetBSD >>>>>> 6.1.5... >>>>>> >>>>>> Hope to commit these in the next few days.. >>>>>> >>>>>> Thanks. >>>>>> >>>>>>>> On 29 Jul 2015, at 14:56, Alexandr Krivulya >>>>>>>> <shuriku_at_shurik.kiev.ua> wrote: >>>>>>>> >>>>>>>> 29.07.2015 10:17, John-Mark Gurney ??????????: >>>>>>>>> Alexandr Krivulya wrote this message on Thu, Jul 23, 2015 at >>>>>>>>> 10:38 +0300: >>>>>>>>> >>>>>>>>> [...] >>>>>>>>> >>>>>>>>>> With r285535 all works fine. >>>>>>>>> Sydney Meyer wrote this message on Mon, Jul 27, 2015 at 23:49 >>>>>>>>> +0200: >>>>>>>>>> I'm having the same problem with IPSec, running -current with >>>>>>>>>> r285794. >>>>>>>>>> >>>>>>>>>> Don't know if this helps, but "netstat -s -p esp" shows >>>>>>>>>> packets dropped; bad ilen. >>>>>>>>> It looks like there was an issue w/ that commit... After >>>>>>>>> looking at >>>>>>>>> the code, and working w/ gnn, I have committed r286000 which >>>>>>>>> fixes it >>>>>>>>> in my test cases... >>>> >>>> -- >>>> John-Mark Gurney Voice: +1 415 225 5579 >>>> >>>> "All that I will do, has been done, All that I have, has not." >>> >>> _______________________________________________ >>> freebsd-current_at_freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-current >>> To unsubscribe, send any mail to >>> "freebsd-current-unsubscribe_at_freebsd.org" > > _______________________________________________ > freebsd-current_at_freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to > "freebsd-current-unsubscribe_at_freebsd.org"Received on Tue Aug 04 2015 - 13:22:05 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:40:59 UTC