Appendix:

The corresponding suite is:

[AES-SHA-GRP5-RSA_SIG]
ENCRYPTION_ALGORITHM=   AES_CBC
KEY_LENGTH=             256,128:256
HASH_ALGORITHM=         SHA
AUTHENTICATION_METHOD=  RSA_SIG
GROUP_DESCRIPTION=      MODP_1536

Might it be, that this aes cipher is missing in kernel?
A man (4) crypto shows:

----------------
Depending on hardware being present, the following symmetric and asymmet-
     ric cryptographic features are potentially available from /dev/crypto:

...
    CRYPTO_AES_CBC
...
----------------

For IPSec I added

option IPSEC
device crypto
device cryptodev
device hifn (for hifn card)

to the kernelfile.

Do I miss something else, or what else can I do?
Regards

Ralf

"Ralf Hornik Mailings" <[EMAIL PROTECTED]> schreibte:

Dear List,

I want to switch my routers from openbsd to freebsd and use the port of isakmpd for my vpn tunnels. But when I want to use my config from openbsd, isakmpd doesn't seem to
configure aes in phase I proposal.

The corresponding configentry is:

[Default-main-mode]
DOI=                    IPSEC
EXCHANGE_TYPE=          ID_PROT
Transforms=             AES-SHA-GRP5-RSA_SIG

starting isakmpd shows up:

ike_phase_1_initiator_send_SA: section [AES-SHA-GRP5-RSA_SIG] has unsupported attribute(s)

When I use 3des insteed, isakmpd starts without errors. But I MUST use aes in phase I because all remote peers use it, I cannot change them all. Has anybody an idea, why
isakmpd won't use aes in phase I but in phase II?
Thank you and best Regards

Ralf

--
alles bleibt anders...



_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"




--
alles bleibt anders...

_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to