From nobody@FreeBSD.org  Fri Mar 30 03:00:08 2012
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 219011065670
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 30 Mar 2012 03:00:08 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22])
	by mx1.freebsd.org (Postfix) with ESMTP id 00B208FC17
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 30 Mar 2012 03:00:08 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
	by red.freebsd.org (8.14.4/8.14.4) with ESMTP id q2U30708055065
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 30 Mar 2012 03:00:07 GMT
	(envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
	by red.freebsd.org (8.14.4/8.14.4/Submit) id q2U307BO055062;
	Fri, 30 Mar 2012 03:00:07 GMT
	(envelope-from nobody)
Message-Id: <201203300300.q2U307BO055062@red.freebsd.org>
Date: Fri, 30 Mar 2012 03:00:07 GMT
From: Todd Blum <todd@toddblum.org>
To: freebsd-gnats-submit@FreeBSD.org
Subject: AES 256 encryption does not work with glxsb driver
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         166508
>Category:       kern
>Synopsis:       [glxsb] AES 256 encryption does not work with glxsb driver
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          suspended
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Mar 30 03:00:26 UTC 2012
>Closed-Date:    
>Last-Modified:  Mon Jul 16 02:30:36 UTC 2012
>Originator:     Todd Blum
>Release:        8.1 (pfSense 2.0.1)
>Organization:
>Environment:
FreeBSD mbsnet-pf1.mbspchost.com 8.1-RELEASE-p6 FreeBSD 8.1-RELEASE-p6 #0: Mon Dec 12 18:59:41 EST 2011     root@FreeBSD_8.0_pfSense_2.0-snaps.pfsense.org:/usr/obj./usr/pfSensesrc/src/sys/pfSense_wrap.8.i386  i386

>Description:
Enabling the glxsb driver on an Alix board (Netgate m1n1wall 2D13) running pfSense 2.0.1 (FreeBSD 8.1) prevents AES256 IPSec Phase2 connections from establishing:

Mar 27 16:31:44 racoon: ERROR: pfkey ADD failed: Invalid argument
Mar 27 16:31:44 racoon: ERROR: pfkey UPDATE failed: Invalid argument
Mar 27 16:31:44 racoon: WARNING: attribute has been modified.
Mar 27 16:31:44 racoon: [Name of Tunnel]: INFO: initiate new phase 2 negotiation: my.ip.add.ress500<=>rem.ote.ip.adr500

AES128 IPSec connections still work OK.

I believe the remote side is Cisco IOS or ASA.   I am running 2.0.1-RELEASE (i386).  Other users have reported similar behavior: 

http://forum.pfsense.org/index.php?topic=47701.new

Per pfSense dev team, the problem is upstream in the FreeBSD kernel:

https://redmine.pfsense.org/issues/2324#change-8509
>How-To-Repeat:
Load glxsb driver, then try to establish an AES256 IPSec tunnel.
>Fix:


>Release-Note:
>Audit-Trail:

From: Patrick Lamaiziere <patfbsd@davenulle.org>
To: bug-followup@FreeBSD.org, todd@toddblum.org
Cc:  
Subject: Re: kern/166508: [glxsb] AES 256 encryption does not work with
 glxsb driver
Date: Sun, 24 Jun 2012 14:33:52 +0200

 Hello,
 
 This is a known issue and a problem within the crypto(9) framework. In
 the crypto framework we can only specify the algorithm (here aes) to
 use but not the size of the key. As glxsb only does aes-128, it fails
 when the crypto framework opens a session on it if the key size if
 different than 128.
 
 There is a CAVEAT section in the manual page of glxsb(4) for this :
 CAVEAT
      The crypto(9) framework will fail to open the crypto session on the
      device if the AES key's length is != 128 bits.  This prevents the
      use of the glxsb device driver with AES keys of length != 128 bits.
 
 To make this to work, it need some changes in crypto(9). Sorry.
 (we can close this PR I guess, as it will not be solved)
 
 Regards.
State-Changed-From-To: open->suspended 
State-Changed-By: linimon 
State-Changed-When: Mon Jul 16 02:29:47 UTC 2012 
State-Changed-Why:  
Apparently this is documented in the manpage as being missing functionality. 

I'm going to leave it in 'suspended' in case someone searches GNATS in the 
future. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=166508 
>Unformatted:
