I'm simply running a new FreeBSD 10-stable r276472 ![]() > pissy and refuses to start, and as usual with ipsec, debugging it is like > FreeBSD 10-stable server, I just rebuilt world today and raccoon has become > So I have been running a stable ipsec tunnel between my MacBook Pro and a Previous message: IPSec and racoon issue.Modules linked in: xfrm6_mode_tunnel xfrm4_mode_tunnel xfrm_user xfrm4_tunnel ipcomp xfrm_ipcomp esp4 ah4 ipv6 ath9k_htc(O)bĬPU: 0 PID: 0 Comm: swapper Tainted: G O 4.1.27 #3 I have tried these patches, at least those which were not in the 4.1.15 nxp branch already.Īs a result, I get following kernel Oops when configuring aes in ipsec phase 2. May be you could provide a patch set that can be directly applied on the NXP git source tree ?įor info: here is the applicable patch that I could prepare out of your patches.: So what are they supposed to be applied on ? Parts of some patches seem to have been committed already ! So I had to sort out manually the parts that had been committed already and reformed the patches accordingly. Unable to handle kernel paging request at virtual address 72617493Īdditionally, I think that the patches that you provided are quite problematic because they cannot be applied directly on the NXP sources. Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree) Modules linked in: esp4 xfrm4_mode_tunnel hmac ov5642_camera mxc_v4l2_capture ipu_bg_overlay_sdc ipu_still gĬPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.1.15-1.1.1+gd5d7c02 #1 Internal error: Oops: 805 PREEMPT SMP ARM Unable to handle kernel paging request at virtual address 70000000 Now I did try on the mcim圆q BSP board without software changes and the result is similar to it. The log extract above was taken from our platform. Original Attachment has been moved to: run-logs.tgz Original Attachment has been moved to: ipsec.sh We can provide additional logging/configuration files/images if needed.Īttached is a short description of the IPSEC test-setup on the i.MX6 test board. This issue seems to be present on all i.MX6 platforms.Īre there any workarounds other than the ones listed above for this issue ? using VLAN tagging on eth0 solves this issueįor different (good) reasons non of these workarounds are acceptable for us: we have a customer that needs to perform IPSEC AES encryption from eth0 to eth1.switching cable and ip addresses of eth0 and eth1 also solves this issue.deactivating caam also solves this issue.changing the encryption algorithm from aes to 3des solves this issue.We have been investigating this issue quiet intensively these last 6 months and found out that:.We have been replacing ipsec-tools by strongSwan: the problem remains.It doesn't matter which VPN-server is used, we have been trying with CISCO ASA, various Juniper gateways, PfSense, racoon, strongSwan: problem is always there.In this case CAAM does not encrypt correctly the ESP packets and they are discarded by the VPN-server.The esp encryption algorithm chosen is aes (or aes256).This is a typical "road-warrior" scenario. The ipsec client on the board (ipsec-tools) is configured to encrypt traffic in an IPSEC-tunnel from eth0 to a VPN-server behind eth1: the ip traffic comes unencrypted via eth0 and goes out encrypted over eth1.The board runs the latest linux 4.1.15_1.0.0_ga yocto software with "ipsec-tools" and the necessary ipsec kernel modules. ![]() eth1: a digitus USB2.0 Ethernet Adapter (Pegasus/Pegasus II USB Ethernet driver) connected to the OTG port.eth0: attached to the processor, handled in Linux by the fec driver.an i.m圆 BSP board (MCIMX6Q-SDB) with 2 network interfaces:. ![]() Encryption of IPSEC ESP-packets coming from eth0 ("fec" driver) fails with CAAM when encryption algorithm is AES or AES256 on Linux platforms.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |