From: "Peter J. Philipp" Subject: patch for iked [was: suggestions for sec(4)] To: tech@openbsd.org Date: Wed, 8 May 2024 09:44:44 +0200 > To continue on as a GENERAL QUESTION (not just you David): > > Since you mentioned iked.. Is there any way to make this enc TRANSFORM work? > > $ man iked.conf | grep chacha20 > chacha20-poly1305 288 bits [ESP only] > > I'm looking for AES alternatives and found only 4 alternatives in iked. There > is that, cast, blowfish and 3des. I don't know much about cast, and twofish and > threefish exist so blowfish is probably outdated. I chose triple des. > > ikev2 passive transport esp from $self_ip to $telekom_ip3 \ > ikesa auth hmac-sha2-512 prf hmac-sha2-512 enc 3des \ > group sntrup761x25519 \ > childsa auth hmac-sha2-512 prf hmac-sha2-512 enc 3des \ > group sntrup761x25519 \ > srcid $self_ip lifetime 1200 tag "IPSEC" > > However I couldn't get the chacha20-poly1305 to work by placing it as: > "enc chacha20-poly1305" in place of "enc 3des"... > > Does the x in "Default" Column have anything to do with that? Ok I figured this one out. The error I got was hard to decipher until I put these extra dialogues in the error. Index: parse.y =================================================================== RCS file: /cvs/src/sbin/iked/parse.y,v retrieving revision 1.145 diff -u -p -u -r1.145 parse.y --- parse.y 13 Apr 2024 15:58:10 -0000 1.145 +++ parse.y 8 May 2024 07:39:40 -0000 @@ -875,7 +875,7 @@ transform : AUTHXF STRING { if (xfs == NULL) err(1, "transform: recallocarray"); if ((xfs[nxfs] = parse_xf($2, 0, authxfs)) == NULL) { - yyerror("%s not a valid transform", $2); + yyerror("auth %s not a valid transform", $2); YYERROR; } free($2); @@ -890,7 +890,7 @@ transform : AUTHXF STRING { if (xfs == NULL) err(1, "transform: recallocarray"); if ((xfs[nxfs] = parse_xf($2, 0, encxfs)) == NULL) { - yyerror("%s not a valid transform", $2); + yyerror("enc %s not a valid transform", $2); YYERROR; } free($2); @@ -905,7 +905,7 @@ transform : AUTHXF STRING { if (xfs == NULL) err(1, "transform: recallocarray"); if ((xfs[nxfs] = parse_xf($2, 0, prfxfs)) == NULL) { - yyerror("%s not a valid transform", $2); + yyerror("prf %s not a valid transform", $2); YYERROR; } free($2); @@ -920,7 +920,7 @@ transform : AUTHXF STRING { if (xfs == NULL) err(1, "transform: recallocarray"); if ((xfs[nxfs] = parse_xf($2, 0, groupxfs)) == NULL) { - yyerror("%s not a valid transform", $2); + yyerror("group %s not a valid transform", $2); YYERROR; } free($2); @@ -935,7 +935,7 @@ transform : AUTHXF STRING { if (xfs == NULL) err(1, "transform: recallocarray"); if ((xfs[nxfs] = parse_xf($1, 0, esnxfs)) == NULL) { - yyerror("%s not a valid transform", $1); + yyerror("esn %s not a valid transform", $1); YYERROR; } ipsec_transforms->esnxf = xfs; do with this as you wish. I do notice that when adding chacha20-poly1305 to the ikesa enc struct table in the iked source that it doesn't work. So that's reason to be sure that we're locked in to 3DES or AES on exchanging keys. Best Regards, -pjp -- my associated domains: callpeter.tel|centroid.eu|dtschland.eu|mainrechner.de