radar264
asked on
OpenBSD IPsec AES-256 encryption problem
OpenBSD IPsec AES 256 encryption problem
I am having problems using Manual Configuration of SAs on OpenBSD IPsec when i try to use AES encryption with a key of greater than 128.
The OpenBSD ipsec.conf man pages specify the following encryption ciphers.
Cipher Key Length
des 56 bits
3des 168 bits
aes 128 bits
aes-128 128 bits
aes-192 192 bits
aes-256 256 bits
aesctr 160 bits [phase 2 only]
blowfish 160 bits
cast 128 bits
skipjack 80 bits
null (none) [phase 2 only]
I cannot get it to work with aes-128, aes-192 or aes-256. All the others work fine.
Example of WORKING ipsec.conf
{
esp tunnel from 1.2.3.4 to 4.3.2.1 spi 0x4242:0x4243 enc aes authkey file "authfile:authfile" enckey file "keyfile:keyfile"
flow esp from 1.2.3.4 to 4.3.2.1
}
Example of NOT-WORKING ipsec.conf
{
esp tunnel from 1.2.3.4 to 4.3.2.1 spi 0x4242:0x4243 enc aes-256 authkey file "authfile:authfile" enckey file "keyfile:keyfile"
flow esp from 1.2.3.4 to 4.3.2.1
}
The Error message when I use the aes-256 is:-
ipsecctl: unsupported encryption algorithm 7
Using OpenBSD versions 4.4 and 4.5, both have the same problem.
Anyone got any ideas what the issue is ?
Please NOTE. I DO NOT want to use ISAKMP and PKI, I must use Manual SAs
I am having problems using Manual Configuration of SAs on OpenBSD IPsec when i try to use AES encryption with a key of greater than 128.
The OpenBSD ipsec.conf man pages specify the following encryption ciphers.
Cipher Key Length
des 56 bits
3des 168 bits
aes 128 bits
aes-128 128 bits
aes-192 192 bits
aes-256 256 bits
aesctr 160 bits [phase 2 only]
blowfish 160 bits
cast 128 bits
skipjack 80 bits
null (none) [phase 2 only]
I cannot get it to work with aes-128, aes-192 or aes-256. All the others work fine.
Example of WORKING ipsec.conf
{
esp tunnel from 1.2.3.4 to 4.3.2.1 spi 0x4242:0x4243 enc aes authkey file "authfile:authfile" enckey file "keyfile:keyfile"
flow esp from 1.2.3.4 to 4.3.2.1
}
Example of NOT-WORKING ipsec.conf
{
esp tunnel from 1.2.3.4 to 4.3.2.1 spi 0x4242:0x4243 enc aes-256 authkey file "authfile:authfile" enckey file "keyfile:keyfile"
flow esp from 1.2.3.4 to 4.3.2.1
}
The Error message when I use the aes-256 is:-
ipsecctl: unsupported encryption algorithm 7
Using OpenBSD versions 4.4 and 4.5, both have the same problem.
Anyone got any ideas what the issue is ?
Please NOTE. I DO NOT want to use ISAKMP and PKI, I must use Manual SAs
Key size too small.
ASKER
Thanks but No. Key size is correct. Have tried aes-128, 192, 256 all with correct keys and all fail.
And to illustrate. enc aes with a 128 bit key works Fine.
esp tunnel from 1.2.3.4 to 4.3.2.1 spi 0x4242:0x4243 enc aes authkey file "authfile:authfile" enckey file "keyfile:keyfile"
But enc aes-128 with a 128 bit key Fails. [both the above aes (the default) and aes-128 use the same size 128 key
esp tunnel from 1.2.3.4 to 4.3.2.1 spi 0x4242:0x4243 enc aes-128 authkey file "authfile:authfile" enckey file "keyfile:keyfile"
ipsecctl: unsupported encryption algorithm 5
And to illustrate. enc aes with a 128 bit key works Fine.
esp tunnel from 1.2.3.4 to 4.3.2.1 spi 0x4242:0x4243 enc aes authkey file "authfile:authfile" enckey file "keyfile:keyfile"
But enc aes-128 with a 128 bit key Fails. [both the above aes (the default) and aes-128 use the same size 128 key
esp tunnel from 1.2.3.4 to 4.3.2.1 spi 0x4242:0x4243 enc aes-128 authkey file "authfile:authfile" enckey file "keyfile:keyfile"
ipsecctl: unsupported encryption algorithm 5
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
RE "AES-256 support is apparently missing from ipsecctl:"
Thats an interesting point. The author of the comment in the URL mentions that there is info in the man pages for ipsecctl and ipsec.conf for setting up
ipsec tunnels using AES with 256bit key.
The current man pages (both for releases 4.4 and 4.5) for ipsec.conf do include all the information for setting up ipsec tunnels using AES with 128, 192, & 256bit keys.
But even though it tells you how to do it, it still doesn't work .
I'll go do more digging.
Thats an interesting point. The author of the comment in the URL mentions that there is info in the man pages for ipsecctl and ipsec.conf for setting up
ipsec tunnels using AES with 256bit key.
The current man pages (both for releases 4.4 and 4.5) for ipsec.conf do include all the information for setting up ipsec tunnels using AES with 128, 192, & 256bit keys.
But even though it tells you how to do it, it still doesn't work .
I'll go do more digging.