FAST_IPSEC + device padlock + device crypto + IKE broken?

Stephen Clark Stephen.Clark at seclark.us
Wed Sep 6 09:43:53 PDT 2006


Adrian Steinmann wrote:

>On Wed, Sep 06, 2006 at 08:36:21AM +0200, Pawel Jakub Dawidek wrote:
>  
>
>>On Wed, Sep 06, 2006 at 08:29:13AM +0200, Adrian Steinmann wrote:
>>    
>>
>>>In my kernel config, I have
>>>
>>>    options FAST_IPSEC
>>>    device padlock
>>>    device crypto
>>>
>>>      
>>>
>...
>  
>
>>>Yet when I configure racoon from ipsec-tools, racoon2, or iked for
>>>dynamic keying, I get a "PFKEYv2 UPDATE" (or similar) failure. When
>>>I set net.inet.ipsec.crypto_support=0 these same dynamic ike key
>>>configurations work, albeit without HW crypto accelleration.
>>>
>>>Has anyone else observed this and know what the problem is?
>>>      
>>>
>>Is this after my recent padlock(4) update in RELENG_6?
>>    
>>
>Both for RELENG_6_1 (new VIA C7 padlock support) and RELENG_6 (VIA C3)
>show this behavior on respective VIA processors. It's as if FAST_IPSEC
>can't register a new key session with crypto device...
>
>If you can point me where to debug (in padlock_* files?) I'd be happy
>to help.
>
>Adrian
>_______________________________________________
>freebsd-stable at freebsd.org mailing list
>http://lists.freebsd.org/mailman/listinfo/freebsd-stable
>To unsubscribe, send any mail to "freebsd-stable-unsubscribe at freebsd.org"
>
>  
>
I see the same problem with 6.1 without the changes from Pawel.

Steve

-- 

"They that give up essential liberty to obtain temporary safety, 
deserve neither liberty nor safety."  (Ben Franklin)

"The course of history shows that as a government grows, liberty 
decreases."  (Thomas Jefferson)





More information about the freebsd-stable mailing list