OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 20.7 Legacy Series »
  • IPsec: algorithm CHACHA20_POLY1305 not supported by kernel
« previous next »
  • Print
Pages: [1]

Author Topic: IPsec: algorithm CHACHA20_POLY1305 not supported by kernel  (Read 1587 times)

mfedv

  • Newbie
  • *
  • Posts: 43
  • Karma: 6
    • View Profile
IPsec: algorithm CHACHA20_POLY1305 not supported by kernel
« on: November 25, 2020, 08:31:02 pm »
(opnsense 20.7.5)

Hi,

tried to set up IPsec parameters better suitable for my old atom netbook
which lacks aes-ni (hardware support for AES). Without AES in hardware,
the best crypto suite for Authenticated Encryption would be
ChaCha20-Poly1305.

It is not available in Openvpn GUI, but I could manually compose a
strongswan connection definition at
    /usr/local/etc/ipsec.opnsense.d/xyz.conf
The GUI shows this connection at VPN / IPsec / Status Overview (nice!)

Establishing an IKE_SA (using AES) works, but setup of CHILD_SA (using
ChaCha20) fails on opnsense with this message:

    algorithm CHACHA20_POLY1305 not supported by kernel!

I found a message from 2015 that HardenedBSD removed ChaCha20:
    https://hardenedbsd.org/article/shawn-webb/2015-02-05/removal-chacha20-import

Anybody know of plans to add it back?


Regards
Matthias
Logged
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 20.7 Legacy Series »
  • IPsec: algorithm CHACHA20_POLY1305 not supported by kernel
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2