FAST_IPSEC + device padlock + device crypto + IKE broken?
Stephen Clark
Stephen.Clark at seclark.us
Wed Sep 6 09:43:53 PDT 2006
Adrian Steinmann wrote:
>On Wed, Sep 06, 2006 at 08:36:21AM +0200, Pawel Jakub Dawidek wrote:
>
>
>>On Wed, Sep 06, 2006 at 08:29:13AM +0200, Adrian Steinmann wrote:
>>
>>
>>>In my kernel config, I have
>>>
>>> options FAST_IPSEC
>>> device padlock
>>> device crypto
>>>
>>>
>>>
>...
>
>
>>>Yet when I configure racoon from ipsec-tools, racoon2, or iked for
>>>dynamic keying, I get a "PFKEYv2 UPDATE" (or similar) failure. When
>>>I set net.inet.ipsec.crypto_support=0 these same dynamic ike key
>>>configurations work, albeit without HW crypto accelleration.
>>>
>>>Has anyone else observed this and know what the problem is?
>>>
>>>
>>Is this after my recent padlock(4) update in RELENG_6?
>>
>>
>Both for RELENG_6_1 (new VIA C7 padlock support) and RELENG_6 (VIA C3)
>show this behavior on respective VIA processors. It's as if FAST_IPSEC
>can't register a new key session with crypto device...
>
>If you can point me where to debug (in padlock_* files?) I'd be happy
>to help.
>
>Adrian
>_______________________________________________
>freebsd-stable at freebsd.org mailing list
>http://lists.freebsd.org/mailman/listinfo/freebsd-stable
>To unsubscribe, send any mail to "freebsd-stable-unsubscribe at freebsd.org"
>
>
>
I see the same problem with 6.1 without the changes from Pawel.
Steve
--
"They that give up essential liberty to obtain temporary safety,
deserve neither liberty nor safety." (Ben Franklin)
"The course of history shows that as a government grows, liberty
decreases." (Thomas Jefferson)
More information about the freebsd-stable
mailing list