# [Bug 263379] [regression] [ipsec] compatibility broken between stable/12 and stable/13 opencrypto in AEAD mode

bugzilla-noreply_a_freebsd.org: "[Bug 263379] [regression] [ipsec] compatibility broken between stable/12 and stable/13 opencrypto in AEAD mode"*Reply:*bugzilla-noreply_a_freebsd.org: "[Bug 263379] [regression] [ipsec] compatibility broken between stable/12 and stable/13 opencrypto in AEAD mode"*Reply:*bugzilla-noreply_a_freebsd.org: "[Bug 263379] [regression] [ipsec] compatibility broken between stable/12 and stable/13 opencrypto in AEAD mode"*Reply:*bugzilla-noreply_a_freebsd.org: "[Bug 263379] [regression] [ipsec] compatibility broken between stable/12 and stable/13 opencrypto in AEAD mode"*Reply:*bugzilla-noreply_a_freebsd.org: "[Bug 263379] [regression] [ipsec] compatibility broken between stable/12 and stable/13 opencrypto in AEAD mode"*Reply:*bugzilla-noreply_a_freebsd.org: "[Bug 263379] [regression] [ipsec] compatibility broken between stable/12 and stable/13 opencrypto in AEAD mode"*Reply:*bugzilla-noreply_a_freebsd.org: "[Bug 263379] [regression] [ipsec] compatibility broken between stable/12 and stable/13 opencrypto in AEAD mode"*Reply:*bugzilla-noreply_a_freebsd.org: "[Bug 263379] [regression] [ipsec] compatibility broken between stable/12 and stable/13 opencrypto in AEAD mode"*Reply:*bugzilla-noreply_a_freebsd.org: "[Bug 263379] [regression] [ipsec] compatibility broken between stable/12 and stable/13 opencrypto in AEAD mode"*Reply:*bugzilla-noreply_a_freebsd.org: "[Bug 263379] [regression] [ipsec] compatibility broken between stable/12 and stable/13 opencrypto in AEAD mode"*Reply:*bugzilla-noreply_a_freebsd.org: "[Bug 263379] [regression] [ipsec] compatibility broken between stable/12 and stable/13 opencrypto in AEAD mode"*Reply:*bugzilla-noreply_a_freebsd.org: "[Bug 263379] [regression] [ipsec] compatibility broken between stable/12 and stable/13 opencrypto in AEAD mode"*Reply:*bugzilla-noreply_a_freebsd.org: "[Bug 263379] [regression] [ipsec] compatibility broken between stable/12 and stable/13 opencrypto in AEAD mode"*Reply:*bugzilla-noreply_a_freebsd.org: "[Bug 263379] [regression] [ipsec] compatibility broken between stable/12 and stable/13 opencrypto in AEAD mode"*Reply:*bugzilla-noreply_a_freebsd.org: "[Bug 263379] [regression] [ipsec] compatibility broken between stable/12 and stable/13 opencrypto in AEAD mode"*Reply:*bugzilla-noreply_a_freebsd.org: "[Bug 263379] [regression] [ipsec] compatibility broken between stable/12 and stable/13 opencrypto in AEAD mode"*Reply:*bugzilla-noreply_a_freebsd.org: "[Bug 263379] [regression] [ipsec] compatibility broken between stable/12 and stable/13 opencrypto in AEAD mode"*Reply:*bugzilla-noreply_a_freebsd.org: "[Bug 263379] [regression] [ipsec] compatibility broken between stable/12 and stable/13 opencrypto in AEAD mode"*Reply:*[ bottom of page ] [ top of archives ] [ this month ]*Go to:*

**<bugzilla-noreply_at_freebsd.org>**

*From:***Sun, 17 Apr 2022 18:44:59 UTC**

*Date:*https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=263379 Bug ID: 263379 Summary: [regression] [ipsec] compatibility broken between stable/12 and stable/13 opencrypto in AEAD mode Product: Base System Version: 13.1-STABLE Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: kern Assignee: jhb@FreeBSD.org Reporter: eugen@freebsd.org CC: net@FreeBSD.org Flags: mfc-stable13? Hi! Assume we have the following in the /etc/ipsec.conf: add 1.1.1.1 2.2.2.2 esp 7888 -m transport -E aes-gcm-16 "3#&*f738@?>=_fOH<D30z%WV&*^>@0D+n1{c" -A hmac-sha2-512 "M@-#@k9?NWiuj4f04jJE(dm{4/B=p9d5@7v}naW,[3!_1}4.]n-t;99L0+/14004"; Exact key values do not matter but their lenght do matter. "/sbin/setkey -f /etc/ipsec.conf" parses this just fine for both of stable/12 and stable/13 and sends a message over a socket to the kernel to add new SA. stable/12 kernel accepts it (and then it works) but stable/13 of 17 April 2022 rejects with EINVAL. Note that stock stable/13 kernel accepts it if you change hmac-sha2-512 to hmac-sha2-256 and halve the length of the key. Here is some preliminary and incomplete patch for stable/13 opencrypto that makes stable/13 to accept this and install new SA: http://www.grosbein.net/freebsd/opencrypto/opencrypto.diff Still, the patch does not solve the problem completely as ESP packets sent from patched stable/13 system get dropped by stable/12 increasing error counter "packets dropped; no transform" in the output of "netstat -sp esp". Note again, that stable/12 system has another stable/12 peer with same configuration and encrypted traffic flows just fine. There is no IKE daemon in the picture intentionally, to simplify debugging. -- You are receiving this mail because: You are on the CC list for the bug.