Re: IPSEC stop works after r285336

From: Sydney Meyer <meyer.sydney_at_googlemail.com>
Date: Thu, 6 Aug 2015 06:47:44 +0200
Hello George,

sorry for the late reply. I wasn't benchmarking/testing anything specific, i'm just interested in FreeBSD for virtual networking (router, packet filter, ipsec-gateway, etc.) since the addition of XENHVM and more recently IPSEC.

(Network) Benchmarking a virtual environment is a topic (as with benchmarking in general, as i have learned also from your talk at bsdcon '15 :), where one can do many things wrong, so for now i've decided that i need to read more about the topic, before i can supply useable results or bug reports, which do not stem from misinterpretation/misconfiguration.

When i do actual testing, i will include netperf and let you know the specs, configs and results.

> On 04 Aug 2015, at 17:21, George Neville-Neil <gnn_at_neville-neil.com> wrote:
> 
> Two things you might do to help.
> 
> The first is just send out a list of what you are testing so we know.
> 
> The second is to contribute configs and the like to the netperf repo
> 
> https://github.com/gvnn3/netperf
> 
> We take pull requests :-)
> 
> Best,
> George
> 
> On 3 Aug 2015, at 23:20, Sydney Meyer wrote:
> 
>> Besides strongswan (actually, i don't know of any other ike-daemon which supports aes-gcm, apart from netbsd's racoon) connections with manually set up policies indeed seem to work fine, host-host iperf stuff, nothing fancy yet.
>> 
>> Anyway, i will start playing around with this in some more scenarios and let you guys know if i come around any problems.
>> 
>> If you would like me to test something specific, please let me know if i can help.
>> 
>> Cheers,
>> S.
>> 
>>> On 03 Aug 2015, at 18:23, George Neville-Neil <gnn_at_neville-neil.com> wrote:
>>> 
>>> This is being actively debugged and jmg_at_ and I have been testing a fix that should
>>> address this issue.
>>> 
>>> Best,
>>> George
>>> 
>>> 
>>> On 3 Aug 2015, at 0:15, Sydney Meyer wrote:
>>> 
>>>> Hi John-Mark,
>>>> 
>>>> the revision i built included gnn's patches to setkey already.
>>>> 
>>>> I have tried to setup a tunnel using strongswan with gcm as esp cipher mode, but the connection fails with "algorithm AES_GCM_16 not supported by kernel"..
>>>> 
>>>> Here's the full log output:
>>>> 
>>>> Aug  3 00:34:28 00[DMN] Starting IKE charon daemon (strongSwan 5.3.2, FreeBSD 11.0-CURRENT, amd64)
>>>> Aug  3 00:34:28 00[KNL] unable to set UDP_ENCAP: Invalid argument
>>>> Aug  3 00:34:28 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed
>>>> Aug  3 00:34:28 00[KNL] unable to set UDP_ENCAP: Invalid argument
>>>> Aug  3 00:34:28 00[NET] enabling UDP decapsulation for IPv4 on port 4500 failed
>>>> Aug  3 00:34:28 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
>>>> Aug  3 00:34:28 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
>>>> Aug  3 00:34:28 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
>>>> Aug  3 00:34:28 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
>>>> Aug  3 00:34:28 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
>>>> Aug  3 00:34:28 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
>>>> Aug  3 00:34:28 00[CFG]   loaded IKE secret for _at_moon.strongswan.org _at_sun.strongswan.org
>>>> Aug  3 00:34:28 00[LIB] loaded plugins: charon aes des blowfish rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf xcbc cmac hmac gcm attr kernel-pfkey kernel-pfroute resolve socket-default stroke updown eap-identity eap-md5 eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic whitelist addrblock
>>>> Aug  3 00:34:28 00[JOB] spawning 16 worker threads
>>>> Aug  3 00:34:28 15[CFG] received stroke: add connection 'host-host'
>>>> Aug  3 00:34:28 15[CFG] added configuration 'host-host'
>>>> Aug  3 00:34:47 15[NET] received packet: from 10.0.30.109[500] to 10.0.30.59[500] (448 bytes)
>>>> Aug  3 00:34:47 15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
>>>> Aug  3 00:34:47 15[IKE] 10.0.30.109 is initiating an IKE_SA
>>>> Aug  3 00:34:47 15[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(MULT_AUTH) ]
>>>> Aug  3 00:34:47 15[NET] sending packet: from 10.0.30.59[500] to 10.0.30.109[500] (448 bytes)
>>>> Aug  3 00:34:47 15[NET] received packet: from 10.0.30.109[4500] to 10.0.30.59[4500] (282 bytes)
>>>> Aug  3 00:34:47 15[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
>>>> Aug  3 00:34:47 15[CFG] looking for peer configs matching 10.0.30.59[sun.strongswan.org]...10.0.30.109[moon.strongswan.org]
>>>> Aug  3 00:34:47 15[CFG] selected peer config 'host-host'
>>>> Aug  3 00:34:47 15[IKE] authentication of 'moon.strongswan.org' with pre-shared key successful
>>>> Aug  3 00:34:47 15[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
>>>> Aug  3 00:34:47 15[IKE] peer supports MOBIKE
>>>> Aug  3 00:34:47 15[IKE] authentication of 'sun.strongswan.org' (myself) with pre-shared key
>>>> Aug  3 00:34:47 15[IKE] IKE_SA host-host[1] established between 10.0.30.59[sun.strongswan.org]...10.0.30.109[moon.strongswan.org]
>>>> Aug  3 00:34:47 15[IKE] scheduling reauthentication in 3416s
>>>> Aug  3 00:34:47 15[IKE] maximum IKE_SA lifetime 3596s
>>>> Aug  3 00:34:47 15[KNL] algorithm AES_GCM_16 not supported by kernel!
>>>> Aug  3 00:34:47 15[KNL] algorithm AES_GCM_16 not supported by kernel!
>>>> Aug  3 00:34:47 15[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel
>>>> Aug  3 00:34:47 15[IKE] failed to establish CHILD_SA, keeping IKE_SA
>>>> Aug  3 00:34:47 15[KNL] unable to delete SAD entry with SPI c07a87b4: No such file or directory (2)
>>>> Aug  3 00:34:47 15[KNL] unable to delete SAD entry with SPI c653554a: No such file or directory (2)
>>>> Aug  3 00:34:47 15[ENC] generating IKE_AUTH response 1 [ IDr AUTH N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_6_ADDR) N(NO_PROP) ]
>>>> Aug  3 00:34:47 15[NET] sending packet: from 10.0.30.59[4500] to 10.0.30.109[4500] (159 bytes)
>>>> 
>>>> I know that pfsense has moved from racoon to strongswan as their ike-daemon, iirc mainly because of strongswans ikev2 daemon and their GCM support. I'm going to try and have a look what changes pfsense may have made to strongswan to support GCM on FreeBSD, although i should probably mention, i am not very experienced at this.
>>>> 
>>>> 
>>>>> On 02 Aug 2015, at 05:53, John-Mark Gurney <jmg_at_funkthat.com> wrote:
>>>>> 
>>>>> Sydney Meyer wrote this message on Sun, Aug 02, 2015 at 04:03 +0200:
>>>>>> i have tried your patches from your ipsecgcm branch. The build completes, boots fine and indeed, dmesg shows "aesni0: <AES-CBC,AES-XTS,AES-GCM,AES-ICM> on motherboard".
>>>>> 
>>>>> Yeh, these patches are more about getting IPsec to work w/ the modes
>>>>> that aesni now supports...
>>>>> 
>>>>>> I'm going to try out the new cipher modes tomorrow and will get back..
>>>>> 
>>>>> Make sure you get the gnn's setkey changes in r286143 otherwise GCM
>>>>> and CTR won't work...
>>>>> 
>>>>> Thanks for doing more testing.. I've only done basic ping tests, so
>>>>> passing more real traffic through would be nice...
>>>>> 
>>>>>>> On 01 Aug 2015, at 22:01, John-Mark Gurney <jmg_at_funkthat.com> wrote:
>>>>>>> 
>>>>>>> Sydney Meyer wrote this message on Wed, Jul 29, 2015 at 22:01 +0200:
>>>>>>>> Same here, fixed running r286015. Thanks a  bunch.
>>>>>>> 
>>>>>>> If you'd like to do some more testing, test the patches in:
>>>>>>> https://github.com/jmgurney/freebsd/tree/ipsecgcm
>>>>>>> 
>>>>>>> These patches get GCM and CTR modes working as tested against NetBSD
>>>>>>> 6.1.5...
>>>>>>> 
>>>>>>> Hope to commit these in the next few days..
>>>>>>> 
>>>>>>> Thanks.
>>>>>>> 
>>>>>>>>> On 29 Jul 2015, at 14:56, Alexandr Krivulya <shuriku_at_shurik.kiev.ua> wrote:
>>>>>>>>> 
>>>>>>>>> 29.07.2015 10:17, John-Mark Gurney ??????????:
>>>>>>>>>> Alexandr Krivulya wrote this message on Thu, Jul 23, 2015 at 10:38 +0300:
>>>>>>>>>> 
>>>>>>>>>> [...]
>>>>>>>>>> 
>>>>>>>>>>> With r285535 all works fine.
>>>>>>>>>> Sydney Meyer wrote this message on Mon, Jul 27, 2015 at 23:49 +0200:
>>>>>>>>>>> I'm having the same problem with IPSec, running -current with r285794.
>>>>>>>>>>> 
>>>>>>>>>>> Don't know if this helps, but "netstat -s -p esp" shows packets dropped; bad ilen.
>>>>>>>>>> It looks like there was an issue w/ that commit...  After looking at
>>>>>>>>>> the code, and working w/ gnn, I have committed r286000 which fixes it
>>>>>>>>>> in my test cases...
>>>>> 
>>>>> -- 
>>>>> John-Mark Gurney				Voice: +1 415 225 5579
>>>>> 
>>>>> "All that I will do, has been done, All that I have, has not."
>>>> 
>>>> _______________________________________________
>>>> freebsd-current_at_freebsd.org mailing list
>>>> http://lists.freebsd.org/mailman/listinfo/freebsd-current
>>>> To unsubscribe, send any mail to "freebsd-current-unsubscribe_at_freebsd.org"
>> 
>> _______________________________________________
>> freebsd-current_at_freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-current
>> To unsubscribe, send any mail to "freebsd-current-unsubscribe_at_freebsd.org"
Received on Thu Aug 06 2015 - 02:47:49 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:40:59 UTC