Having trouble with AES256 and glxsb acceleration on Alix
-
Hello,
Since I enabled glxsb option (running on a Netgate m1n1wall 2D13 Alix board), Phase 2 on an AES256 IPSEC tunnel no longer establishes:
Mar 27 16:31:44 racoon: ERROR: pfkey ADD failed: Invalid argument
Mar 27 16:31:44 racoon: ERROR: pfkey UPDATE failed: Invalid argument
Mar 27 16:31:44 racoon: WARNING: attribute has been modified.
Mar 27 16:31:44 racoon: [Tiffen interface for Akers]: INFO: initiate new phase 2 negotiation: my.ip.add.ress[500]<=>rem.ote.ip.adr[500]although Phase1 establishes fine. This tunnel worked fine before enabling the glxsb, and I believe the remote side is IOS or ASA. I am running 2.0.1-RELEASE (i386). Is this a known issue? All of my AES128 tunnels are working fine.
Thanks,
Todd
-
I had the same issue with Alix board and road warrior setup. When glsxb is enabled AES 256 stops working, do not really remember why though.
-
glxsb only accelerates AES128.
Though I see a ticket was opened and cmb said it's an OS issue that 256 gives an error.
Though if you are only using AES256, glxsb won't help you anyhow.
-
It's an OS issue that it doesn't work at least, pretty sure that ticket or something I saw here said it doesn't work on 128 either. I would hope it doesn't break AES256 entirely though that may just be a consequence of how it functions.
-
Hi,
When glxsb is loaded, only AES128 encryption works – it breaks AES192 and AES256. I opened a bug with FreeBSD assuming this is a problem with the glxsb.c kernel driver?
Thanks,
Todd
-
Ok, yeah in that case it should be fixed so it doesn't try to accelerate and hence break higher AES levels, reporting as a FreeBSD bug is correct.
-
FYI,
AES > 128 with glxsb is not currently supported in any version of FreeBSD:
http://www.freebsd.org/cgi/query-pr.cgi?pr=166508
Thanks,
Todd
