Using Linux Kernel Cryptography API for IPSec
-
22-06-2021 - |
Pregunta
I would like to use salsa20 from Linux Crypto API as encrption algrothim for IPSec ESP. I have established an IPSec connection (between two VMs) using default settings in racoon successfully
remote 192.168.75.3
{
exchange_mode aggressive, main;
my_identifier address;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
but as I change the encryption algorithm to salsa20
remote 192.168.75.3
{
exchange_mode aggressive, main;
my_identifier address;
proposal {
encryption_algorithm salsa20;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
and restart the connection I receive a syntax error on "sa" which is a fatal error. seems to me that racoon may not use Linux kernel Crypto API or at least it does not support every algorithm there! Am I right? or I do something quit wrong? Is there any way around to use salsa20 on IPSec in linux?
Solución
Just for record.
I dig into the kernel code and found that it's only possible to use some specific encryption algorithms there (according to IPSec RFCs) and adding a new block ciphering algorithm would also involve manipulation the IKE (e.g Racoon).
By the way there is only a draft RFC for using stream ciphers (like salsa20) for IPSec ESP so using them would involve implementing a draft RFC on top of other modifications.