Adrian Steinmann
2006-Sep-06 06:32 UTC
FAST_IPSEC + device padlock + device crypto + IKE broken?
In my kernel config, I have
options FAST_IPSEC
device padlock
device crypto
which enables the crypto acceleration in VIA C3 and C7 CPUs. IPSEC
with static rijndael-cbc keys of length 128, 192, and 256 makes use
of the acceleration when sysctl net.inet.ipsec.crypto_support=1;
- so far, so good.
Yet when I configure racoon from ipsec-tools, racoon2, or iked for
dynamic keying, I get a "PFKEYv2 UPDATE" (or similar) failure. When
I set net.inet.ipsec.crypto_support=0 these same dynamic ike key
configurations work, albeit without HW crypto accelleration.
Has anyone else observed this and know what the problem is?
Adrian
Pawel Jakub Dawidek
2006-Sep-06 06:36 UTC
FAST_IPSEC + device padlock + device crypto + IKE broken?
On Wed, Sep 06, 2006 at 08:29:13AM +0200, Adrian Steinmann wrote:> In my kernel config, I have > > options FAST_IPSEC > device padlock > device crypto > > which enables the crypto acceleration in VIA C3 and C7 CPUs. IPSEC > with static rijndael-cbc keys of length 128, 192, and 256 makes use > of the acceleration when sysctl net.inet.ipsec.crypto_support=1; > - so far, so good. > > Yet when I configure racoon from ipsec-tools, racoon2, or iked for > dynamic keying, I get a "PFKEYv2 UPDATE" (or similar) failure. When > I set net.inet.ipsec.crypto_support=0 these same dynamic ike key > configurations work, albeit without HW crypto accelleration. > > Has anyone else observed this and know what the problem is?Is this after my recent padlock(4) update in RELENG_6? -- Pawel Jakub Dawidek http://www.wheel.pl pjd@FreeBSD.org http://www.FreeBSD.org FreeBSD committer Am I Evil? Yes, I Am! -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20060906/5c75a40b/attachment.pgp