How to Enable support for IPsec deprecated algorithms: 3DES, MD5-HMAC
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 04 Oct 2022 08:34:24 UTC
Hi, i am trying to move my gateway from FreeBSD 11.0 to FreeBSD 14.0 to use newly added ipfw table lookup for mac addresses (https://reviews.freebsd.org/D35103) Also I have too many IPSec connections between fortigate, cisco etc. And their operators use only 3DES algorithms and they have no intention to change it for me. So, now i have to enable 3DES support for FreeBSD 14.0 . To add 3DES support again i changed some files shown below. I am not sure what i did any help welcomes. i restored below files: https://cgit.freebsd.org/src/commit/?id=16aabb761c0a -rw-r--r-- [lib/libipsec/pfkey_dump.c](https://cgit.freebsd.org/src/diff/lib/libipsec/pfkey_dump.c?id=16aabb761c0a) 25 -rw-r--r-- [sbin/setkey/sample.cf](https://cgit.freebsd.org/src/diff/sbin/setkey/sample.cf?id=16aabb761c0a) 79 -rw-r--r-- [sbin/setkey/setkey.8](https://cgit.freebsd.org/src/diff/sbin/setkey/setkey.8?id=16aabb761c0a) 29 -rw-r--r-- [sbin/setkey/test-pfkey.c](https://cgit.freebsd.org/src/diff/sbin/setkey/test-pfkey.c?id=16aabb761c0a) 32 -rw-r--r-- [sbin/setkey/token.l](https://cgit.freebsd.org/src/diff/sbin/setkey/token.l?id=16aabb761c0a) 11 -rw-r--r-- [sys/netipsec/ipsec.c](https://cgit.freebsd.org/src/diff/sys/netipsec/ipsec.c?id=16aabb761c0a) 5 -rw-r--r-- [sys/netipsec/ipsec.h](https://cgit.freebsd.org/src/diff/sys/netipsec/ipsec.h?id=16aabb761c0a) 2 -rw-r--r-- [sys/netipsec/key.c](https://cgit.freebsd.org/src/diff/sys/netipsec/key.c?id=16aabb761c0a) 12 -rw-r--r-- [sys/netipsec/xform_ah.c](https://cgit.freebsd.org/src/diff/sys/netipsec/xform_ah.c?id=16aabb761c0a) 26 -rw-r--r-- [sys/netipsec/xform_esp.c](https://cgit.freebsd.org/src/diff/sys/netipsec/xform_esp.c?id=16aabb761c0a) 25 -rw-r--r-- [usr.bin/netstat/ipsec.c](https://cgit.freebsd.org/src/diff/usr.bin/netstat/ipsec.c?id=16aabb761c0a) https://cgit.freebsd.org/src/commit/?id=6c80c319ef88 -rw-r--r-- [sys/opencrypto/cryptodev.c](https://cgit.freebsd.org/src/diff/sys/opencrypto/cryptodev.c?id=6c80c319ef88) -rw-r--r-- [sys/opencrypto/cryptodev.](https://cgit.freebsd.org/src/diff/sys/opencrypto/cryptodev.c?id=6c80c319ef88)h Compiled New Kernel with this extra options: # OWNKERNv1 include GENERICident OWNKERNv1 options IPFIREWALL options DUMMYNET options IPFIREWALL_DEFAULT_TO_ACCEPT options IPDIVERT options IPSEC options IPSEC_SUPPORT device crypto cd /usr/src make -j$(sysctl -n hw.ncpu) buildkernel KERNCONF=OWNKERNv1 But When i try to compile new kernel it gets too many errors. any help will be appreciated at this point.. Part of Error Logs: -- all_subdir_cryptodev --- /usr/src/sys/opencrypto/cryptodev.c:314:16: error: incompatible function pointer types initializing 'fo_stat_t *' (aka 'int (*)(struct file *, struct stat *, struct ucred *)') with an expression of type 'int (struct file *, struct stat *, struct ucred *, struct thread *)' [-Werror,-Wincompatible-function-pointer-types] .fo_stat = cryptof_stat, ^~~~~~~~~~~~ /usr/src/sys/opencrypto/cryptodev.c:412:14: error: use of undeclared identifier 'enc_xform_des'; did you mean 'enc_xform_ccm'? txform = &enc_xform_des; ^~~~~~~~~~~~~ enc_xform_ccm /usr/src/sys/opencrypto/xform_enc.h:105:31: note: 'enc_xform_ccm' declared here extern const struct enc_xform enc_xform_ccm; ^ /usr/src/sys/opencrypto/cryptodev.c:415:14: error: use of undeclared identifier 'enc_xform_3des' txform = &enc_xform_3des; ^ ...