AMD Geode LX crypto accelerator (glxsb)
Patrick Lamaizière
patfbsd at davenulle.org
Thu Jul 10 06:34:17 UTC 2008
Le Wed, 09 Jul 2008 15:31:30 -0400,
Mike Tancsa <mike at sentex.net> a écrit :
> Without the module loaded, I can do something simple like
>
>
> # sh s
> # cat s
> MEOUTSIDE=64.x.x.x
> MEINSIDE=192.168.5.0/24
> REMOTEOUTSIDE=64.y.y.y
> REMOTEINSIDE=192.168.1.0/24
> IPSECKEY=zxzpprlNH61N11SGfrCa8dxZ
>
>
> setkey -c <<EOF
> add $MEOUTSIDE $REMOTEOUTSIDE esp 1049
> -m any -E rijndael-cbc "$IPSECKEY";
> add $REMOTEOUTSIDE $MEOUTSIDE esp 1049
> -m any -E rijndael-cbc "$IPSECKEY";
> spdadd $MEINSIDE $REMOTEINSIDE any -P
> out ipsec esp/tunnel/$MEOUTSIDE-$REMOTEOUTSIDE/require;
> spdadd $REMOTEINSIDE $MEINSIDE any -P
> in ipsec esp/tunnel/$REMOTEOUTSIDE-$MEOUTSIDE/require;
> EOF
>
>
> But if I load the glxsb modules, setkey fails on the same policy.
>
> # setkey -F
> # setkey -FP
> # setkey -DP
> No SPD entries.
> # kldload glxsb
> # dmesg | tail
> vr0: link state changed to DOWN
> vr0: link state changed to UP
> vr0: promiscuous mode enabled
> vr0: promiscuous mode disabled
> vr1: promiscuous mode enabled
> vr1: promiscuous mode disabled
> vr1: promiscuous mode enabled
> vr1: promiscuous mode disabled
> glxsb0: detached
> glxsb0: <AMD Geode LX Security Block
> (AES-128-CBC,RNG)> mem 0xa0000000-0xa0003fff irq 10 at device 1.2 on
> pci0 # sh s
> The result of line 1: Invalid argument.
> The result of line 2: Invalid argument.
> #
>
> What is the proper AES encryption to use for
> IPSEC ?
It is rijndael-cbc.
> Why is there a difference in syntax ?
I don't know. May be the key ? The length of your key is 24 characters,
it should be 16 (128 bits).
Does it work with a 128 bits key ?
My setkey setup is
flush;
spdflush;
add 192.168.1.21 192.168.1.200 esp 1011
-E rijndael-cbc "0123456789012345"
-A hmac-sha1 "98765432109876543210";
add 192.168.1.200 192.168.1.21 esp 1012
-E rijndael-cbc "0123456789012345"
-A hmac-sha1 "98765432109876543210";
spdadd 192.168.1.200 192.168.1.21 any -P out ipsec
esp/transport//require;
spdadd 192.168.1.21 192.168.1.200 any -P in ipsec
esp/transport//require;
Regards.
More information about the freebsd-stable
mailing list