Using OpenBSD's isakmpd in FreeBSD
Ralf Hornik Mailings
ralf at best.homeunix.org
Thu Jul 17 15:27:57 UTC 2008
Appendix:
The corresponding suite is:
[AES-SHA-GRP5-RSA_SIG]
ENCRYPTION_ALGORITHM= AES_CBC
KEY_LENGTH= 256,128:256
HASH_ALGORITHM= SHA
AUTHENTICATION_METHOD= RSA_SIG
GROUP_DESCRIPTION= MODP_1536
Might it be, that this aes cipher is missing in kernel?
A man (4) crypto shows:
----------------
Depending on hardware being present, the following symmetric and asymmet-
ric cryptographic features are potentially available from /dev/crypto:
...
CRYPTO_AES_CBC
...
----------------
For IPSec I added
option IPSEC
device crypto
device cryptodev
device hifn (for hifn card)
to the kernelfile.
Do I miss something else, or what else can I do?
Regards
Ralf
"Ralf Hornik Mailings" <ralf at best.homeunix.org> schreibte:
> Dear List,
>
> I want to switch my routers from openbsd to freebsd and use the port
> of isakmpd for my
> vpn tunnels. But when I want to use my config from openbsd, isakmpd
> doesn't seem to
> configure aes in phase I proposal.
>
> The corresponding configentry is:
>
> [Default-main-mode]
> DOI= IPSEC
> EXCHANGE_TYPE= ID_PROT
> Transforms= AES-SHA-GRP5-RSA_SIG
>
> starting isakmpd shows up:
>
> ike_phase_1_initiator_send_SA: section [AES-SHA-GRP5-RSA_SIG] has
> unsupported attribute(s)
>
> When I use 3des insteed, isakmpd starts without errors. But I MUST
> use aes in phase I
> because all remote peers use it, I cannot change them all. Has
> anybody an idea, why
> isakmpd won't use aes in phase I but in phase II?
> Thank you and best Regards
>
> Ralf
>
> --
> alles bleibt anders...
>
>
>
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
>
--
alles bleibt anders...
More information about the freebsd-questions
mailing list