diff options
| author | Mike Belopuhov <mikeb@cvs.openbsd.org> | 2010-09-22 14:04:10 +0000 |
|---|---|---|
| committer | Mike Belopuhov <mikeb@cvs.openbsd.org> | 2010-09-22 14:04:10 +0000 |
| commit | 97afe07d2323d09ba39e51a7a164327cc271f4a3 (patch) | |
| tree | 9a9084ee5c2651032a69e868f2904ad53a2c61d3 /sys | |
| parent | 533fada97d278985d68180ce3facee30f580a937 (diff) | |
Support AES-GCM-16 (as aes-gcm) and ENCR_NULL_AUTH_AES_GMAC
(as aes-gmac) encryption transformations in the ipsec.conf(5).
Available "enc" arguments denoting use of
1) AES-GCM-16:
aes-128-gcm for 160 bit key (128+nonce)
aes-192-gcm for 224 bit key (192+nonce)
aes-256-gcm for 288 bit key (256+nonce)
2) ENCR_NULL_AUTH_AES_GMAC:
aes-128-gmac for 160 bit key (128+nonce)
aes-192-gmac for 224 bit key (192+nonce)
aes-256-gmac for 288 bit key (256+nonce)
Please note that aes-gmac family performs no encryption and provides
no confidentiality and is intended for cases in which confidentiality
is not desired (it can be thought of as AH with NAT-T support).
Also, although this implementation supports manual keying, it's
use is strictly discouraged as AES-GCM security depends on frequent
re-keying. So it can be thought of as a debug facility only.
Example configuration:
ike esp from 172.23.61.36 to 172.23.61.156 \
quick enc aes-256-gcm \
psk humppa
Thoroughly tested by me and naddy. Works fine with Linux.
Requires updated pfkeyv2.h include file.
OK naddy
Diffstat (limited to 'sys')
0 files changed, 0 insertions, 0 deletions