(opnsense 20.7.5)
Hi,
tried to set up IPsec parameters better suitable for my old atom netbook
which lacks aes-ni (hardware support for AES). Without AES in hardware,
the best crypto suite for Authenticated Encryption would be
ChaCha20-Poly1305.
It is not available in Openvpn GUI, but I could manually compose a
strongswan connection definition at
/usr/local/etc/ipsec.opnsense.d/xyz.conf
The GUI shows this connection at VPN / IPsec / Status Overview (nice!)
Establishing an IKE_SA (using AES) works, but setup of CHILD_SA (using
ChaCha20) fails on opnsense with this message:
algorithm CHACHA20_POLY1305 not supported by kernel!
I found a message from 2015 that HardenedBSD removed ChaCha20:
https://hardenedbsd.org/article/shawn-webb/2015-02-05/removal-chacha20-import
Anybody know of plans to add it back?
Regards
Matthias