Solved

OpenBSD IPsec AES-256 encryption problem

Posted on 2009-05-20
4
1,675 Views
Last Modified: 2013-12-09
OpenBSD IPsec AES 256 encryption problem

I am having problems using Manual Configuration of SAs on OpenBSD IPsec when i try to use AES encryption with a key of greater than 128.

The OpenBSD ipsec.conf man pages specify the following encryption ciphers.

Cipher              Key Length
           des                 56 bits
           3des                168 bits
           aes                 128 bits
           aes-128             128 bits
           aes-192             192 bits
           aes-256             256 bits
           aesctr              160 bits      [phase 2 only]
           blowfish            160 bits
           cast                128 bits
           skipjack            80 bits
           null                (none)        [phase 2 only]

I cannot get it to work with aes-128, aes-192 or aes-256. All the others work fine.

Example of WORKING ipsec.conf
{
esp tunnel from 1.2.3.4 to 4.3.2.1 spi 0x4242:0x4243 enc aes authkey file "authfile:authfile" enckey file "keyfile:keyfile"

flow esp from 1.2.3.4 to 4.3.2.1
}


Example of NOT-WORKING ipsec.conf
{
esp tunnel from 1.2.3.4 to 4.3.2.1 spi 0x4242:0x4243 enc aes-256 authkey file "authfile:authfile" enckey file "keyfile:keyfile"

flow esp from 1.2.3.4 to 4.3.2.1
}

The Error message when I use the aes-256 is:-

ipsecctl: unsupported encryption algorithm 7




Using OpenBSD versions 4.4 and 4.5, both have the same problem.


Anyone got any ideas what the issue is ?


Please NOTE. I DO NOT want to use ISAKMP and PKI, I must use Manual SAs
0
Comment
Question by:radar264
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 62

Expert Comment

by:gheist
ID: 24431693
Key size too small.
0
 

Author Comment

by:radar264
ID: 24436282
Thanks but No.   Key size is correct. Have tried aes-128, 192, 256 all with correct keys and all fail.

And to illustrate.  enc  aes     with a 128 bit key works Fine.

esp tunnel from 1.2.3.4 to 4.3.2.1 spi 0x4242:0x4243 enc aes authkey file "authfile:authfile" enckey file "keyfile:keyfile"


But     enc aes-128   with a 128 bit key  Fails. [both the above aes (the default) and aes-128 use the same size 128 key

esp tunnel from 1.2.3.4 to 4.3.2.1 spi 0x4242:0x4243 enc aes-128 authkey file "authfile:authfile" enckey file "keyfile:keyfile"

ipsecctl: unsupported encryption algorithm 5

0
 
LVL 9

Accepted Solution

by:
svs earned 500 total points
ID: 24436523
AES-256 support is apparently missing from ipsecctl:

http://archive.openbsd.nu/?ml=openbsd-misc&a=2008-02&t=6344221
0
 

Author Comment

by:radar264
ID: 24440973
RE "AES-256 support is apparently missing from ipsecctl:"


Thats an interesting point. The author of the comment in the URL mentions that there is info in the man pages for ipsecctl and ipsec.conf for setting up
ipsec tunnels using AES with 256bit key.

The current man pages (both for releases 4.4 and 4.5) for ipsec.conf do include all the information for setting up ipsec tunnels using AES with 128, 192, & 256bit keys.

But even though it tells you how to do it, it still doesn't work .

I'll go do more digging.
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Attention: This article will no longer be maintained. If you have any questions, please feel free to mail me. jgh@FreeBSD.org Please see http://www.freebsd.org/doc/en_US.ISO8859-1/articles/freebsd-update-server/ for the updated article. It is avail…
FreeBSD on EC2 FreeBSD (https://www.freebsd.org) is a robust Unix-like operating system that has been around for many years. FreeBSD is available on Amazon EC2 through Amazon Machine Images (AMIs) provided by FreeBSD developer and security office…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question