Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FS#916 - Add kmod-crypto-gcm as dependency of kmod-ipsec #7109

Closed
openwrt-bot opened this issue Jul 19, 2017 · 1 comment
Closed

FS#916 - Add kmod-crypto-gcm as dependency of kmod-ipsec #7109

openwrt-bot opened this issue Jul 19, 2017 · 1 comment
Labels
flyspray

Comments

@openwrt-bot
Copy link

roysjosh:

I'm running a Linksys EA4500 with 17.01-SNAPSHOT r3466-f6907dc. While attempting to configure strongswan to use aes-gcm, I get:
Wed Jul 19 16:18:30 2017 daemon.info : 14[KNL] adding SAD entry with SPI cd903db2 and reqid {1}
Wed Jul 19 16:18:30 2017 daemon.info : 14[KNL] using encryption algorithm AES_GCM_16 with key size 160
Wed Jul 19 16:18:30 2017 daemon.info : 14[KNL] using replay window of 32 packets
Wed Jul 19 16:18:30 2017 daemon.info : 14[KNL] received netlink error: Function not implemented (38)
Wed Jul 19 16:18:30 2017 daemon.info : 14[KNL] unable to add SAD entry with SPI cd903db2
Wed Jul 19 16:18:30 2017 daemon.info : 14[KNL] adding SAD entry with SPI 6109fc7b and reqid {1}
Wed Jul 19 16:18:30 2017 daemon.info : 14[KNL] using encryption algorithm AES_GCM_16 with key size 160
Wed Jul 19 16:18:30 2017 daemon.info : 14[KNL] using replay window of 0 packets
Wed Jul 19 16:18:30 2017 daemon.info : 14[KNL] received netlink error: Function not implemented (38)
Wed Jul 19 16:18:30 2017 daemon.info : 14[KNL] unable to add SAD entry with SPI 6109fc7b
Wed Jul 19 16:18:30 2017 daemon.info : 14[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel
Wed Jul 19 16:18:30 2017 daemon.info : 14[IKE] failed to establish CHILD_SA, keeping IKE_SA

Which leads me to https://wiki.strongswan.org/issues/2121 which then caused me to notice that PACKAGE_kmod-ipsec doesn't pull in kmod-crypto-gcm. Please consider enabling GCM in the default kernel IPsec config.
@openwrt-bot
Copy link
Author

bjonglez:

kmod-crypto-gcm does not look that big, feel free to submit a patch: https://git.lede-project.org/?p=source.git;a=blob;f=package/kernel/linux/modules/netsupport.mk;h=6c9b03be1dae1cbe8a4486de610e096e2736c25f;hb=HEAD#l229

This is a good question though: should the ipsec package depend on all possible crypto algorithms? Looking quickly, it's also missing dependencies on ECB, CTR, CCM, which are potentially useful. But for space-constrained devices, it makes sense to pull only the minimal amount of dependencies, and users can then install additional crypto packages if needed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
flyspray
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@openwrt-bot