FAST_IPSEC + device padlock + device crypto + IKE broken?
Adrian Steinmann
ast at webgroup.ch
Tue Sep 5 23:32:09 PDT 2006
In my kernel config, I have
options FAST_IPSEC
device padlock
device crypto
which enables the crypto acceleration in VIA C3 and C7 CPUs. IPSEC
with static rijndael-cbc keys of length 128, 192, and 256 makes use
of the acceleration when sysctl net.inet.ipsec.crypto_support=1;
- so far, so good.
Yet when I configure racoon from ipsec-tools, racoon2, or iked for
dynamic keying, I get a "PFKEYv2 UPDATE" (or similar) failure. When
I set net.inet.ipsec.crypto_support=0 these same dynamic ike key
configurations work, albeit without HW crypto accelleration.
Has anyone else observed this and know what the problem is?
Adrian
More information about the freebsd-stable
mailing list