AMD Geode LX crypto accelerator (glxsb)

Patrick Lamaizière patfbsd at davenulle.org
Thu Jul 10 06:34:17 UTC 2008 

Le Wed, 09 Jul 2008 15:31:30 -0400,
Mike Tancsa <mike at sentex.net> a écrit :

> Without the module loaded, I can do something simple like
> 
> 
> # sh s
> # cat s
> MEOUTSIDE=64.x.x.x
> MEINSIDE=192.168.5.0/24
> REMOTEOUTSIDE=64.y.y.y
> REMOTEINSIDE=192.168.1.0/24
> IPSECKEY=zxzpprlNH61N11SGfrCa8dxZ
> 
> 
> setkey -c <<EOF
>          add $MEOUTSIDE $REMOTEOUTSIDE esp 1049 
> -m any -E rijndael-cbc  "$IPSECKEY";
>          add $REMOTEOUTSIDE $MEOUTSIDE esp 1049 
> -m any -E rijndael-cbc  "$IPSECKEY";
>          spdadd $MEINSIDE $REMOTEINSIDE any -P 
> out ipsec esp/tunnel/$MEOUTSIDE-$REMOTEOUTSIDE/require;
>          spdadd $REMOTEINSIDE $MEINSIDE any -P 
> in  ipsec esp/tunnel/$REMOTEOUTSIDE-$MEOUTSIDE/require;
> EOF
> 
> 
> But if I load the glxsb modules, setkey fails on the same policy.
> 
> # setkey -F
> # setkey -FP
> # setkey -DP
> No SPD entries.
> # kldload glxsb
> # dmesg | tail
> vr0: link state changed to DOWN
> vr0: link state changed to UP
> vr0: promiscuous mode enabled
> vr0: promiscuous mode disabled
> vr1: promiscuous mode enabled
> vr1: promiscuous mode disabled
> vr1: promiscuous mode enabled
> vr1: promiscuous mode disabled
> glxsb0: detached
> glxsb0: <AMD Geode LX Security Block 
> (AES-128-CBC,RNG)> mem 0xa0000000-0xa0003fff irq 10 at device 1.2 on
> pci0 # sh s
> The result of line 1: Invalid argument.
> The result of line 2: Invalid argument.
> #
> 
> What is the proper AES encryption to use for 
> IPSEC ? 

It is rijndael-cbc.

> Why is there a difference in syntax ?

I don't know. May be the key ? The length of your key is 24 characters,
it should be 16 (128 bits).

Does it work with a 128 bits key ?

My setkey setup is
flush;
spdflush;
add 192.168.1.21 192.168.1.200 esp 1011 
        -E rijndael-cbc "0123456789012345"
        -A hmac-sha1 "98765432109876543210";
add 192.168.1.200 192.168.1.21 esp 1012 
        -E rijndael-cbc "0123456789012345"
        -A hmac-sha1 "98765432109876543210";
spdadd 192.168.1.200 192.168.1.21  any -P out ipsec
esp/transport//require;
spdadd 192.168.1.21 192.168.1.200 any -P in ipsec
esp/transport//require;

Regards.

More information about the freebsd-stable mailing list