Bug 11855

Summary: IPsec: Cannot establish tunnel with ChaCha20-Poly1305 on ARM
Product: IPFire Reporter: Michael Tremer <michael.tremer>
Component: ---Assignee: Arne.F <arne.fitzenreiter>
Status: CLOSED FIXED QA Contact:
Severity: Crash    
Priority: Will affect an average number of users CC: peter.mueller
Version: 2   
Hardware: unspecified   
OS: Unspecified   
Bug Depends on: 11549    
Bug Blocks:    
Attachments: Log excerpt

Description Michael Tremer 2018-09-10 09:58:03 UTC 
Created attachment 624 [details]
Log excerpt

Cannot establish IPsec VPN with ChaCha20-Poly1305 on ARM:

> received netlink error: Function not implemented (38)
> unable to add SAD entry with SPI c7e5aa6d (FAILED)

Full log is attached.

It looks like this is not enabled in the ARM kernel configs:

> config/kernel/kernel.config.aarch64-ipfire:# CONFIG_CRYPTO_CHACHA20POLY1305 is not set
> config/kernel/kernel.config.aarch64-ipfire:# CONFIG_CRYPTO_CHACHA20 is not set
> config/kernel/kernel.config.armv5tel-ipfire-kirkwood:# CONFIG_CRYPTO_CHACHA20POLY1305 is not set
> config/kernel/kernel.config.armv5tel-ipfire-kirkwood:# CONFIG_CRYPTO_CHACHA20 is not set
> config/kernel/kernel.config.armv5tel-ipfire-multi:# CONFIG_CRYPTO_CHACHA20POLY1305 is not set
> config/kernel/kernel.config.armv5tel-ipfire-multi:# CONFIG_CRYPTO_CHACHA20 is not set
> config/kernel/kernel.config.i586-ipfire:CONFIG_CRYPTO_CHACHA20POLY1305=m
> config/kernel/kernel.config.i586-ipfire:CONFIG_CRYPTO_CHACHA20=m
> config/kernel/kernel.config.i586-ipfire-pae:CONFIG_CRYPTO_CHACHA20POLY1305=m
> config/kernel/kernel.config.i586-ipfire-pae:CONFIG_CRYPTO_CHACHA20=m
> config/kernel/kernel.config.x86_64-ipfire:CONFIG_CRYPTO_CHACHA20POLY1305=m
> config/kernel/kernel.config.x86_64-ipfire:CONFIG_CRYPTO_CHACHA20=m
> config/kernel/kernel.config.x86_64-ipfire:CONFIG_CRYPTO_CHACHA20_X86_64=m

Please enable.

This is quite severe because ChaCha20-Poly1305 is chosen as default and tunnels with the default settings won't come up if one peer is ARM.