Having trouble with AES256 and glxsb acceleration on Alix



  • Hello,

    Since I enabled glxsb option (running on a Netgate m1n1wall 2D13 Alix board), Phase 2 on an AES256 IPSEC tunnel no longer establishes:

    Mar 27 16:31:44 racoon: ERROR: pfkey ADD failed: Invalid argument
    Mar 27 16:31:44 racoon: ERROR: pfkey UPDATE failed: Invalid argument
    Mar 27 16:31:44 racoon: WARNING: attribute has been modified.
    Mar 27 16:31:44 racoon: [Tiffen interface for Akers]: INFO: initiate new phase 2 negotiation: my.ip.add.ress[500]<=>rem.ote.ip.adr[500]

    although Phase1 establishes fine.  This tunnel worked fine before enabling the glxsb, and I believe the remote side is IOS or ASA.  I am running 2.0.1-RELEASE (i386).  Is this a known issue?  All of my AES128 tunnels are working fine.

    Thanks,

    Todd



  • I had the same issue with Alix board and road warrior setup. When glsxb is enabled AES 256 stops working, do not really remember why though.


  • Rebel Alliance Developer Netgate

    glxsb only accelerates AES128.

    Though I see a ticket was opened and cmb said it's an OS issue that 256 gives an error.

    Though if you are only using AES256, glxsb won't help you anyhow.



  • It's an OS issue that it doesn't work at least, pretty sure that ticket or something I saw here said it doesn't work on 128 either. I would hope it doesn't break AES256 entirely though that may just be a consequence of how it functions.



  • Hi,

    When glxsb is loaded, only AES128 encryption works – it breaks AES192 and AES256.  I opened a bug with FreeBSD assuming this is a problem with the glxsb.c kernel driver?

    Thanks,

    Todd



  • Ok, yeah in that case it should be fixed so it doesn't try to accelerate and hence break higher AES levels, reporting as a FreeBSD bug is correct.



  • FYI,

    AES > 128 with glxsb is not currently supported in any version of FreeBSD:

    http://www.freebsd.org/cgi/query-pr.cgi?pr=166508

    Thanks,

    Todd


Log in to reply