Wang,
It seems that FreeBSD kernel stops to support AES-XCBC-MAC-96
even when setkey still supports AES-XCBC-MAC-96.
Please refer to
<http://www.tahi.org/logo/ipsec/results/end_node/IPsec_Self_Test_P2_1-0-7/ipsec.p2/11.html>.
This is old test result but you can see AES-XCBC-MAC-96 worked on FreeBSD 5.4-RELEASE-p8.
In that time, FreeBSD uses the source code from KAME.
That was </usr/src/sys/netinet6/ah_core.c>.
This reference is from FreeBSD 6.1-RELEASE,
but it still has SADB_X_AALG_AES_XCBC_MAC case.
199 const struct ah_algorithm *
200 ah_algorithm_lookup(idx)
201 int idx;
202 {
203
204 switch (idx) {
205 case SADB_AALG_MD5HMAC:
206 return &ah_algorithms[0];
207 case SADB_AALG_SHA1HMAC:
208 return &ah_algorithms[1];
209 case SADB_X_AALG_MD5:
210 return &ah_algorithms[2];
211 case SADB_X_AALG_SHA:
212 return &ah_algorithms[3];
213 case SADB_X_AALG_NULL:
214 return &ah_algorithms[4];
215 case SADB_X_AALG_SHA2_256:
216 return &ah_algorithms[5];
217 case SADB_X_AALG_SHA2_384:
218 return &ah_algorithms[6];
219 case SADB_X_AALG_SHA2_512:
220 return &ah_algorithms[7];
221 case SADB_X_AALG_RIPEMD160HMAC:
222 return &ah_algorithms[8];
223 case SADB_X_AALG_AES_XCBC_MAC:
224 return &ah_algorithms[9];
225 case SADB_X_AALG_TCP_MD5:
226 return &ah_algorithms[10];
227 default:
228 return NULL;
229 }
230 }
In the other hand,
FreeBSD 7.0-RELEASE uses </usr/src/sys/netipsec/xform_ah.c> for ah_algorithm_lookup() function.
110 struct auth_hash *
111 ah_algorithm_lookup(int alg)
112 {
113 if (alg >= AH_ALG_MAX)
114 return NULL;
115 switch (alg) {
116 case SADB_X_AALG_NULL:
117 return &auth_hash_null;
118 case SADB_AALG_MD5HMAC:
119 return &auth_hash_hmac_md5_96;
120 case SADB_AALG_SHA1HMAC:
121 return &auth_hash_hmac_sha1_96;
122 case SADB_X_AALG_RIPEMD160HMAC:
123 return &auth_hash_hmac_ripemd_160_96;
124 case SADB_X_AALG_MD5:
125 return &auth_hash_key_md5;
126 case SADB_X_AALG_SHA:
127 return &auth_hash_key_sha1;
128 case SADB_X_AALG_SHA2_256:
129 return &auth_hash_hmac_sha2_256;
130 case SADB_X_AALG_SHA2_384:
131 return &auth_hash_hmac_sha2_384;
132 case SADB_X_AALG_SHA2_512:
133 return &auth_hash_hmac_sha2_512;
134 }
135 return NULL;
136 }
Now, you can understand that SADB_X_AALG_AES_XCBC_MAC case was removed.
Thanks,
On Mon, 24 Nov 2008 15:59:57 +0800
wang_jiabo <jiabwang@redhat.com> wrote:
> Hello, all:
> I am testing ipsec interoperability cases.
> when I configure following ipsec.conf file on FreeBSD 7.0:
>
> *add 3ffe:501:ffff:103:20a:ebff:fe85:9e56
> 3ffe:501:ffff:104:21d:fff:fe19:59fc esp 0x2000 -m transport -E 3des-cbc
> "ipv6readylogo3descbc1to2" -A aes-xcbc-mac "ipv6readaesx1to2"; *
>
> then run: * setkey -f /etc/ipsec.conf*
> system report : *line 4 : Not supported at [ipv6readaesx1to2]
> parse failed, line 4.
> *
>
> if I use :*
> *
>
> *add 3ffe:501:ffff:103:20a:ebff:fe85:9e56
> 3ffe:501:ffff:104:21d:fff:fe19:59fc esp 0x2000 -m transport -E 3des-cbc
> "ipv6readylogo3descbc1to2" -A hmac-sha1 "ipv6readaesx1to2";
> *it is ok. no failed message.
> it is ok on RedHat OS.
>
> could you help me find where problem is and how to resolve.
> Thanks
> Wang JiaBo
>
> *
> *
>
>
--
Yukiyo Akisada <akisada@tahi.org>