IPsec: algorithm CHACHA20_POLY1305 not supported by kernel

mfedv · November 25, 2020, 08:31:02 PM

(opnsense 20.7.5)

Hi,

tried to set up IPsec parameters better suitable for my old atom netbook
which lacks aes-ni (hardware support for AES). Without AES in hardware,
the best crypto suite for Authenticated Encryption would be
ChaCha20-Poly1305.

It is not available in Openvpn GUI, but I could manually compose a
strongswan connection definition at
/usr/local/etc/ipsec.opnsense.d/xyz.conf
The GUI shows this connection at VPN / IPsec / Status Overview (nice!)

Establishing an IKE_SA (using AES) works, but setup of CHILD_SA (using
ChaCha20) fails on opnsense with this message:

algorithm CHACHA20_POLY1305 not supported by kernel!

I found a message from 2015 that HardenedBSD removed ChaCha20:
https://hardenedbsd.org/article/shawn-webb/2015-02-05/removal-chacha20-import

Anybody know of plans to add it back?

Regards
Matthias

IPsec: algorithm CHACHA20_POLY1305 not supported by kernel

mfedv

November 25, 2020, 08:31:02 PM