setkey -- twofish-cbc unsupported algorithm

To: netbsd-users%NetBSD.org@localhost
Subject: setkey -- twofish-cbc unsupported algorithm
From: Pierre-Philipp Braun <pbraun%nethence.com@localhost>
Date: Tue, 21 Apr 2020 12:51:19 +0300 (MSK)

Hello, I was willing to benchmark and compare a few IPSEC settings and I noticed twofish-cbc does not seem to be available, although it is referenced in the manual.
Seen on NetBSD/amd64 9.0.  Is this a known issue?  I tried with 128 and 256 bit keys, same result.  No probem with blowfish-cbc and cast128-cbc.

# vi /etc/ipsec.conf
add OFFICEPUB1 OFFICEPUB2 esp 13245 -E twofish-cbc 0x...some-pseudo-random-key...;
add OFFICEPUB2 OFFICEPUB1 esp 13246 -E twofish-cbc 0x...some-other-pseudo-random-key...;
spdadd SUBNET1/24 SUBNET2/24 any -P out ipsec esp/tunnel/OFFICEPUB1-OFFICEPUB2/require;
spdadd SUBNET2/24 SUBNET1/24 any -P in ipsec esp/tunnel/OFFICEPUB2-OFFICEPUB1/require;

# /etc/rc.d/ipsec restart
Clearing ipsec manual keys/policies.
Installing ipsec manual keys/policies.
line 1: unsupported algorithm at [0x...some-pseudo-random-key...]
parse failed, line 1.

https://netbsd.gw.com/cgi-bin/man-cgi?setkey
https://netbsd.gw.com/cgi-bin/man-cgi?setkey++NetBSD-current

Good old KAME is much appreciated, thank you.
--
Pierre-Philipp

Follow-Ups:
- Re: setkey -- twofish-cbc unsupported algorithm
  - From: Greg Troxel

Prev by Date: Re: mDNS in base image
Next by Date: Re: NetBSD-9 GPT on disks smaller than 2TB
Previous by Thread: NetBSD-9 GPT on disks smaller than 2TB
Next by Thread: Re: setkey -- twofish-cbc unsupported algorithm
Indexes:

Home | Main Index | Thread Index | Old Index