Using Linux Kernel Cryptography API for IPSec

Question

I would like to use salsa20 from Linux Crypto API as encrption algrothim for IPSec ESP. I have established an IPSec connection (between two VMs) using default settings in racoon successfully

remote 192.168.75.3
{
 exchange_mode aggressive, main;
 my_identifier address;
 proposal {
  encryption_algorithm 3des;
  hash_algorithm sha1;
  authentication_method pre_shared_key;
  dh_group 2;
 }
}

but as I change the encryption algorithm to salsa20

remote 192.168.75.3
{
 exchange_mode aggressive, main;
 my_identifier address;
 proposal {
  encryption_algorithm salsa20;
  hash_algorithm sha1;
  authentication_method pre_shared_key;
  dh_group 2;
 }
}

and restart the connection I receive a syntax error on "sa" which is a fatal error. seems to me that racoon may not use Linux kernel Crypto API or at least it does not support every algorithm there! Am I right? or I do something quit wrong? Is there any way around to use salsa20 on IPSec in linux?

Answer 1

Just for record.

I dig into the kernel code and found that it's only possible to use some specific encryption algorithms there (according to IPSec RFCs) and adding a new block ciphering algorithm would also involve manipulation the IKE (e.g Racoon).

By the way there is only a draft RFC for using stream ciphers (like salsa20) for IPSec ESP so using them would involve implementing a draft RFC on top of other modifications.