From: Satavee J. <sa...@gm...> - 2012-03-14 09:04:58
|
Hi, After testing Ipsec-tool on normal desktop with Debian Squeeze 6.0.3,it's working fine. root@Racoon:~# uname -a Linux Racoon 2.6.39 #1 Thu Feb 2 15:22:46 ICT 2012 i586 GNU/Linux root@Racoon:~# lsmod Module Size Used by deflate 12495 0 zlib_deflate 25278 1 deflate ctr 12851 0 twofish_generic 16529 0 twofish_i586 12453 0 twofish_common 20497 2 twofish_generic,twofish_i586 serpent 28943 0 blowfish 16576 0 cast5 24773 0 xcbc 12629 0 sha512_generic 16649 0 sha256_generic 20805 0 ppp_async 12868 1 crc_ccitt 12331 1 ppp_async ppp_generic 25984 5 ppp_async slhc 12584 1 ppp_generic bridge 43270 0 stp 12368 1 bridge llc 12693 2 bridge,stp ecb 12649 0 option 20658 1 usb_wwan 12882 1 option geode_aes 12862 0 usbserial 31303 4 option,usb_wwan geode_rng 12436 0 ext3 105577 1 jbd 36646 1 ext3 mbcache 12857 1 ext3 But I've got error " alg: hash: Test 1 failed for xcbc(geode-aes) " and "take almost 4 minutes to establish the connection" when tried to test on Alix 6F -AMD Geode LX800- board ( http://alix-shop.com/index.php?language=en&cat=c129_ALIX-Board.html&gclid=CLyD_qz-5a4CFY4c6wodLHsMwg) . Below are two log files from to gateway before and after remove "geode_aes" module. (1) with geode_aes module root@Racoon:~# ipsec start Starting IKE (ISAKMP/Oakley) server: racoonMar 14 15:15:20 Racoon racoon: INFO: @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net) Mar 14 15:15:20 Racoon racoon: INFO: @(#)This product linked OpenSSL 1.0.0g 18 Jan 2012 (http://www.openssl.org/) Mar 14 15:15[ 343.730982] alg: hash: Test 1 failed for xcbc(geode-aes) :20 Racoon racoo[ 343.748947] 00000000: 63 74 f4 ec c2 1c 78 59 cc d9 6d f3 a5 30 d4 01 n: INFO: Reading configuration from "/etc/racoon/racoon.conf" . Mar 14 15:15:20 Racoon kernel: [ 343.748947] 00000000: 63 74 f4 ec c2 1c 78 59 cc d9 6d f3 a5 30 d4 01 [ 403.796600] alg: hash: Test 1 failed for xcbc(geode-aes) [ 403.812621] 00000000: 63 74 f4 ec c2 1c 78 59 cc d9 6d f3 a5 30 d4 01 Mar 14 15:16:20 Racoon kernel: [ 403.812621] 00000000: 63 74 f4 ec c2 1c 78 59 cc d9 6d f3 a5 30 d4 01 [ 463.865844] alg: hash: Test 1 failed for xcbc(geode-aes) [ 463.881812] 00000000: 63 74 f4 ec c2 1c 78 59 cc d9 6d f3 a5 30 d4 01 Mar 14 15:17:21 Racoon kernel: [ 463.881812] 00000000: 63 74 f4 ec c2 1c 78 59 cc d9 6d f3 a5 30 d4 01 Mar 14 15:18:21 Racoon racoon: INFO: x.x.92.65[500] used for NAT-T Mar 14 15:18:21 Racoon racoon: INFO: x.x.92.65[500] us[ 523.937533] alg: hash: Test 1 failed for xcbc(geode-aes) ed as isakmp por[ 523.956685] 00000000: 63 74 f4 ec c2 1c 78 59 cc d9 6d f3 a5 30 d4 01 t (fd=7) Mar 14 15:18:21 Racoon racoon: INFO: x.x.92.65[4500] used for NAT-T Mar 14 15:18:21 Racoon racoon: INFO: x.x.92.65[4500] used as isakmp port (fd=8) Mar 14 15:18:21 Racoon kernel: [ 523.956685] 00000000: 63 74 f4 ec c2 1c 78 59 cc d9 6d f3 a5 30 d4 01 Mar 14 15:19:21 Racoon racoon: INFO: unsupported PF_KEY message REGISTER [: 38: 1: unexpected operator Mar 14 15:19:26 Racoon racoon: INFO: IPsec-SA request for x.x.1.95 queued due to no phase1 found. Mar 14 15:19:26 Racoon racoon: INFO: initiate new phase 1 negotiation: x.x.92.65[500]<=>x.x.1.95[500] Mar 14 15:19:26 Racoon racoon: INFO: begin Identity Protection mode. Mar 14 15:19:26 Racoon racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02#012 Mar 14 15:19:26 Racoon racoon: [x.x.1.95] INFO: Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02#012 Mar 14 15:19:26 Racoon racoon: [x.x.1.95] INFO: Hashing x.x.1.95[500] with algo #2 Mar 14 15:19:26 Racoon racoon: [x.x.92.65] INFO: Hashing x.x.92.65[500] with algo #2 Mar 14 15:19:26 Racoon racoon: INFO: Adding remote and local NAT-D payloads. Mar 14 15:19:27 Racoon racoon: INFO: received Vendor ID: CISCO-UNITY Mar 14 15:19:27 Racoon racoon: INFO: received Vendor ID: DPD Mar 14 15:19:27 Racoon racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt Mar 14 15:19:27 Racoon racoon: [x.x.92.65] INFO: Hashing x.x.92.65[500] with algo #2 Mar 14 15:19:27 Racoon racoon: INFO: NAT-D payload #0 verified Mar 14 15:19:27 Racoon racoon: [x.x.1.95] INFO: Hashing x.x.1.95[500] with algo #2 Mar 14 15:19:27 Racoon racoon: INFO: NAT-D payload #1 doesn't match Mar 14 15:19:27 Racoon racoon: INFO: NAT detected: PEER Mar 14 15:19:27 Racoon racoon: INFO: KA list add: x.x.92.65[4500]->x.x.1.95[4500] Mar 14 15:19:28 Racoon racoon: WARNING: port 4500 expected, but 0 Mar 14 15:19:28 Racoon racoon: INFO: ISAKMP-SA established x.x.92.65[4500]-x.x.1.95[4500] spi:02c377b08f56cea1:0ccd202ab56adb15 Mar 14 15:19:29 Racoon racoon: INFO: initiate new phase 2 negotiation: x.x.92.65[4500]<=>x.x.1.95[4500] Mar 14 15:19:29 Racoon racoon: INFO: NAT detected -> UDP encapsulation (ENC_MODE 1->61443). Mar 14 15:19:29 Racoon racoon: INFO: received RESPONDER-LIFETIME: 4608000 kbytes Mar 14 15:19:2[ 592.601976] alg: No test for authenc(hmac(sha1),cbc(des3_ede)) (authenc(hmac(sha1-generic),cbc(des3_ede-generic))) 9 Racoon racoon: WARNING: attribute has been modified. Mar 14 15:19:29 Racoon racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel Mar 14 15:19:29 Racoon racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1) Mar 14 15:19:29 Racoon kernel: [ 592.601976] alg: No test for authenc(hmac(sha1),cbc(des3_ede)) (authenc(hmac(sha1-generic),cbc(des3_ede-generic))) Mar 14 15:19:29 Racoon racoon: INFO: IPsec-SA established: ESP/Tunnel x.x.92.65[4500]->x.x.1.95[4500] spi=124759690(0x76fae8a) Mar 14 15:19:29 Racoon racoon: INFO: IPsec-SA established: ESP/Tunnel x.x.92.65[4500]->x.x.1.95[4500] spi=3706727604(0xdcf02cb (2) without geode_aes module ==> for this case it take only 10 seco to establish the ipsec connection #rmmod geode_aes root@Racoon:~# ipsec start Starting IKE (ISAKMP/Oakley) server: racoonMar 14 15:22:47 Racoon racoon: INFO: @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net) Mar 14 15:22:47 Racoon racoon: INFO: @(#)This product linked OpenSSL 1.0.0g 18 Jan 2012 (http://www.openssl.org/) Mar 14 15:22:47 Racoon racoon: INFO: Reading configuration from "/etc/racoon/racoon.conf" . Mar 14 15:22:47 Racoon racoon: INFO: x.x.92.65[500] used for NAT-T Mar 14 15:22:47 Racoon racoon: INFO: x.x.92.65[500] used as isakmp port (fd=7) Mar 14 15:22:47 Racoon racoon: INFO: x.x.92.65[4500] used for NAT-T Mar 14 15:22:47 Racoon racoon: INFO: x.x.92.65[4500] used as isakmp port (fd=8) Mar 14 15:22:49 Racoon racoon: INFO: unsupported PF_KEY message REGISTER [: 38: 1: unexpected operator Mar 14 15:22:54 Racoon racoon: INFO: IPsec-SA request for x.x.1.95 queued due to no phase1 found. Mar 14 15:22:54 Racoon racoon: INFO: initiate new phase 1 negotiation: x.x.92.65[500]<=>x.x.1.95[500] Mar 14 15:22:54 Racoon racoon: INFO: begin Identity Protection mode. Mar 14 15:22:55 Racoon racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02#012 Mar 14 15:22:55 Racoon racoon: [x.x.1.95] INFO: Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02#012 Mar 14 15:22:55 Racoon racoon: [x.x.1.95] INFO: Hashing x.x.1.95[500] with algo #2 Mar 14 15:22:55 Racoon racoon: [x.x.92.65] INFO: Hashing x.x.92.65[500] with algo #2 Mar 14 15:22:55 Racoon racoon: INFO: Adding remote and local NAT-D payloads. Mar 14 15:22:55 Racoon racoon: INFO: received Vendor ID: CISCO-UNITY Mar 14 15:22:55 Racoon racoon: INFO: received Vendor ID: DPD Mar 14 15:22:55 Racoon racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt Mar 14 15:22:55 Racoon racoon: [x.x.92.65] INFO: Hashing x.x.92.65[500] with algo #2 Mar 14 15:22:55 Racoon racoon: INFO: NAT-D payload #0 verified Mar 14 15:22:55 Racoon racoon: [x.x.1.95] INFO: Hashing x.x.1.95[500] with algo #2 Mar 14 15:22:55 Racoon racoon: INFO: NAT-D payload #1 doesn't match Mar 14 15:22:55 Racoon racoon: INFO: NAT detected: PEER Mar 14 15:22:55 Racoon racoon: INFO: KA list add: x.x.92.65[4500]->x.x.1.95[4500] Mar 14 15:22:56 Racoon racoon: WARNING: port 4500 expected, but 0 Mar 14 15:22:56 Racoon racoon: INFO: ISAKMP-SA established x.x.92.65[4500]-x.x.1.95[4500] spi:7b047d447aac1b7d:0ccd202a0f3146c1 Mar 14 15:22:57 Racoon racoon: INFO: initiate new phase 2 negotiation: x.x.92.65[4500]<=>x.x.1.95[4500] Mar 14 15:22:57 Racoon racoon: INFO: NAT detected -> UDP encapsulation (ENC_MODE 1->61443). Mar 14 15:22:57 Racoon racoon: INFO: received RESPONDER-LIFETIME: 4608000 kbytes Mar 14 15:22:57 Racoon racoon: WARNING: attribute has been modified. Mar 14 15:22:57 Racoon racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel Mar 14 15:22:57 Racoon racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1) Mar 14 15:22:57 Racoon racoon: INFO: IPsec-SA established: ESP/Tunnel x.x.92.65[4500]->x.x.1.95[4500] spi=60070620(0x3949adc) Mar 14 15:22:57 Racoon racoon: INFO: IPsec-SA established: ESP/Tunnel x.x.92.65[4500]->x.x.1.95[4500] spi=3709220308(0xdd1635d4) It's running properly if i 've remove harware accelorator module .. Pls let me know if you need any more info that can help me to fix this problem. Best Regards, Satavee |
From: VANHULLEBUS Y. <va...@fr...> - 2012-03-14 09:31:40
|
On Wed, Mar 14, 2012 at 04:04:45PM +0700, Satavee Junwana wrote: > Hi, Hi. > After testing Ipsec-tool on normal desktop with Debian Squeeze 6.0.3,it's > working fine. [....] > But I've got error " alg: hash: Test 1 failed for xcbc(geode-aes) " and "take > almost 4 minutes to establish the connection" when tried to test on Alix 6F > -AMD Geode LX800- board ( > http://alix-shop.com/index.php?language=en&cat=c129_ALIX-Board.html&gclid=CLyD_qz-5a4CFY4c6wodLHsMwg) > . > > > Below are two log files from to gateway before and after remove "geode_aes" > module. > > (1) with geode_aes module [....] > It's running properly if i 've remove harware accelorator module .. Pls > let me know if you need any more info that can help me to fix this problem. Ipsec-tools doesn't really cares about hardware acceleration for encryption: it just calls OpenSSL. As I don't know how OpenSSL deals with such hardware on Linux, I don't know if your problem is related to OpenSSL or directly to Linux kernel, but it's quite sure it is not directly related to ipsec-tools, as the same configuration wirks without your hardware encryption.... Yvan. |
From: Satavee <sa...@gm...> - 2012-03-15 00:32:46
|
Hi Yvan, Many Thanks for your reply. I just saw this message during start ipsec, you may be rigth ,this error may not directly relate to ipsec-tools ... I think ipsec-tools has tried to initiate hardware accelerator module But not succeed. It may required futher modules. Best regards, Satavee On Mar 14, 2012, at 16:31, VANHULLEBUS Yvan <va...@fr...> wrote: > On Wed, Mar 14, 2012 at 04:04:45PM +0700, Satavee Junwana wrote: >> Hi, > > Hi. > > >> After testing Ipsec-tool on normal desktop with Debian Squeeze 6.0.3,it's >> working fine. > [....] >> But I've got error " alg: hash: Test 1 failed for xcbc(geode-aes) " and "take >> almost 4 minutes to establish the connection" when tried to test on Alix 6F >> -AMD Geode LX800- board ( >> http://alix-shop.com/index.php?language=en&cat=c129_ALIX-Board.html&gclid=CLyD_qz-5a4CFY4c6wodLHsMwg) >> . >> >> >> Below are two log files from to gateway before and after remove "geode_aes" >> module. >> >> (1) with geode_aes module > [....] >> It's running properly if i 've remove harware accelorator module .. Pls >> let me know if you need any more info that can help me to fix this problem. > > Ipsec-tools doesn't really cares about hardware acceleration for > encryption: it just calls OpenSSL. > > As I don't know how OpenSSL deals with such hardware on Linux, I don't > know if your problem is related to OpenSSL or directly to Linux > kernel, but it's quite sure it is not directly related to ipsec-tools, > as the same configuration wirks without your hardware encryption.... > > > Yvan. > > ------------------------------------------------------------------------------ > Virtualization & Cloud Management Using Capacity Planning > Cloud computing makes use of virtualization - but cloud computing > also focuses on allowing computing to be delivered as a service. > http://www.accelacomm.com/jaw/sfnl/114/51521223/ > _______________________________________________ > Ipsec-tools-devel mailing list > Ips...@li... > https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel |
From: Stephen C. <scl...@ea...> - 2012-03-15 17:48:27
|
On 03/14/2012 08:32 PM, Satavee wrote: > Hi Yvan, > Many Thanks for your reply. > > I just saw this message during start ipsec, you may be rigth ,this error may not directly relate to ipsec-tools ... > I think ipsec-tools has tried to initiate hardware accelerator module But not succeed. It may required futher modules. > > > Best regards, > Satavee > > > > On Mar 14, 2012, at 16:31, VANHULLEBUS Yvan<va...@fr...> wrote: > > >> On Wed, Mar 14, 2012 at 04:04:45PM +0700, Satavee Junwana wrote: >> >>> Hi, >>> >> Hi. >> >> >> >>> After testing Ipsec-tool on normal desktop with Debian Squeeze 6.0.3,it's >>> working fine. >>> >> [....] >> >>> But I've got error " alg: hash: Test 1 failed for xcbc(geode-aes) " and "take >>> almost 4 minutes to establish the connection" when tried to test on Alix 6F >>> -AMD Geode LX800- board ( >>> http://alix-shop.com/index.php?language=en&cat=c129_ALIX-Board.html&gclid=CLyD_qz-5a4CFY4c6wodLHsMwg) >>> . >>> >>> >>> Below are two log files from to gateway before and after remove "geode_aes" >>> module. >>> >>> (1) with geode_aes module >>> >> [....] >> >>> It's running properly if i 've remove harware accelorator module .. Pls >>> let me know if you need any more info that can help me to fix this problem. >>> >> Ipsec-tools doesn't really cares about hardware acceleration for >> encryption: it just calls OpenSSL. >> >> As I don't know how OpenSSL deals with such hardware on Linux, I don't >> know if your problem is related to OpenSSL or directly to Linux >> kernel, but it's quite sure it is not directly related to ipsec-tools, >> as the same configuration wirks without your hardware encryption.... >> >> >> Yvan. >> >> ------------------------------------------------------------------------------ >> Virtualization& Cloud Management Using Capacity Planning >> Cloud computing makes use of virtualization - but cloud computing >> also focuses on allowing computing to be delivered as a service. >> http://www.accelacomm.com/jaw/sfnl/114/51521223/ >> _______________________________________________ >> Ipsec-tools-devel mailing list >> Ips...@li... >> https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel >> > ------------------------------------------------------------------------------ > This SF email is sponsosred by: > Try Windows Azure free for 90 days Click Here > http://p.sf.net/sfu/sfd2d-msazure > _______________________________________________ > Ipsec-tools-devel mailing list > Ips...@li... > https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel > > openssl has mode to test your encryption hardware. openssl speed -evp aes-128-cbc -- "They that give up essential liberty to obtain temporary safety, deserve neither liberty nor safety." (Ben Franklin) "The course of history shows that as a government grows, liberty decreases." (Thomas Jefferson) |
From: Timo T. <tim...@ik...> - 2012-03-15 18:50:36
|
On Wed, 14 Mar 2012 10:31:26 +0100 VANHULLEBUS Yvan <va...@fr...> wrote: > On Wed, Mar 14, 2012 at 04:04:45PM +0700, Satavee Junwana wrote: > > Hi, > > Hi. > > > > After testing Ipsec-tool on normal desktop with Debian Squeeze > > 6.0.3,it's working fine. > [....] > > But I've got error " alg: hash: Test 1 failed for xcbc(geode-aes) " > > and "take almost 4 minutes to establish the connection" when tried > > to test on Alix 6F -AMD Geode LX800- board ( > > http://alix-shop.com/index.php?language=en&cat=c129_ALIX-Board.html&gclid=CLyD_qz-5a4CFY4c6wodLHsMwg) > > . > > > > > > Below are two log files from to gateway before and after remove > > "geode_aes" module. > > > > (1) with geode_aes module > [....] > > It's running properly if i 've remove harware accelorator > > module .. Pls let me know if you need any more info that can help > > me to fix this problem. > > Ipsec-tools doesn't really cares about hardware acceleration for > encryption: it just calls OpenSSL. > > As I don't know how OpenSSL deals with such hardware on Linux, I don't > know if your problem is related to OpenSSL or directly to Linux > kernel, but it's quite sure it is not directly related to ipsec-tools, > as the same configuration wirks without your hardware encryption.... The error message above is from kernel. And the 'geode-aes' is a kernel module - it can affect only the kernel accelartion. This question should go to linux kernel mailing list. |