[Openswan Users] NULL encryption error message

Sun Nov 1 11:32:50 EST 2009

On Sun, 1 Nov 2009, farajian amin wrote:

> Can anybody help me , how can i enable NULL encryption in openswan 2.6.23.Any user Configuration?
> We are using KLIPS... Any kernel configuration ?

KLIPS only supports ESP_NULL via cryptoapi. Make sure you are using that.
I also just merged in the patch from bug #428 into git. You can pull
that code or apply the attached patch. Note, still untested by me.
You'll have to set CONFIG_KLIPS_ENC_NULL.

> I want it to perform a perfomance test of IPSEC protocol stack.
>
> I have set esp="null" in ipsec.conf  file and also
> I have set USE_NOCRYPTO ?=true and USE_WEAKSTAFF?=true but still receiving

That should work. Or esp=null-md5 or esp=null-sha1-96

>  *****requested kernel enc ealg_id=11 not present
> ******can not initiate: no acceptable kernel algorithms loaded

Paul
-------------- next part --------------

diff --git a/linux/include/openswan/ipsec_xform.h b/linux/include/openswan/ipsec_xform.h
index 9abbea2..c99e555 100644
--- a/linux/include/openswan/ipsec_xform.h
+++ b/linux/include/openswan/ipsec_xform.h
@@ -120,6 +120,7 @@ static inline const char *auth_name_id (unsigned id) {
 		((x)->ips_encalg == SADB_X_CALG_DEFLATE ? \
 		 "_DEFLATE" : "_UNKNOWN_comp") : \
 	(x)->ips_encalg == ESP_NONE ? "" : \
+	(x)->ips_encalg == ESP_NULL ? "_NULL" : \
 	(x)->ips_encalg == ESP_3DES ? "_3DES" : \
 	(x)->ips_encalg == ESP_AES ? "_AES" : \
 	(x)->ips_encalg == ESP_SERPENT ? "_SERPENT" : \
diff --git a/linux/net/ipsec/ipsec_alg_cryptoapi.c b/linux/net/ipsec/ipsec_alg_cryptoapi.c
index de9311e..8dc6e22 100644
--- a/linux/net/ipsec/ipsec_alg_cryptoapi.c
+++ b/linux/net/ipsec/ipsec_alg_cryptoapi.c
@@ -153,6 +153,9 @@ IPSEC_ALG_MODULE_INIT_STATIC( ipsec_cryptoapi_init )
 	#define hmac(X)	"hmac(" #X ")"
 #endif /* if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,19) */
 
+#ifdef CONFIG_KLIPS_ENC_NULL
+# define CIPHERNAME_NULL		cbc(null)
+#endif
 #define CIPHERNAME_AES		cbc(aes)
 #define CIPHERNAME_1DES		cbc(des)
 #define CIPHERNAME_3DES		cbc(des3_ede)
@@ -164,6 +167,7 @@ IPSEC_ALG_MODULE_INIT_STATIC( ipsec_cryptoapi_init )
 #define DIGESTNAME_MD5		"md5"
 #define DIGESTNAME_SHA1		"sha1"
 
+#define ESP_NULL		11
 #define ESP_SERPENT		252	/* from ipsec drafts */
 #define ESP_TWOFISH		253	/* from ipsec drafts */
 
@@ -179,6 +183,9 @@ module_param(noauto,int,0644);
 
 MODULE_PARM_DESC(noauto, "Dont try all known algos, just setup enabled ones");
 
+#ifdef CONFIG_KLIPS_ENC_NULL
+static int cipher_null[] = {-1, -1};
+#endif
 #ifdef CONFIG_KLIPS_ENC_1DES
 static int des_ede1[] = {-1, -1};
 #endif
@@ -189,6 +196,9 @@ static int cast[] = {-1, -1};
 static int serpent[] = {-1, -1};
 static int twofish[] = {-1, -1};
 
+#ifdef CONFIG_KLIPS_ENC_NULL
+module_param_array(cipher_null,int,NULL,0444);
+#endif
 #ifdef CONFIG_KLIPS_ENC_1DES
 module_param_array(des_ede1,int,NULL,0444);
 #endif
@@ -199,7 +209,12 @@ module_param_array(cast,int,NULL,0444);
 module_param_array(serpent,int,NULL,0444);
 module_param_array(twofish,int,NULL,0444);
 
+#ifdef CONFIG_KLIPS_ENC_NULL
+MODULE_PARM_DESC(cipher_null, "0: disable | 1: force_enable | min,max: dontuse");
+#endif
+#ifdef CONFIG_KLIPS_ENC_1DES
 MODULE_PARM_DESC(des_ede1, "0: disable | 1: force_enable | min,max: dontuse");
+#endif
 MODULE_PARM_DESC(des_ede3, "0: disable | 1: force_enable | min,max: dontuse");
 MODULE_PARM_DESC(aes, "0: disable | 1: force_enable | min,max: keybitlens");
 MODULE_PARM_DESC(blowfish, "0: disable | 1: force_enable | min,max: keybitlens");
@@ -226,6 +241,9 @@ static struct ipsec_alg_capi_cipher alg_capi_carray[] = {
 #ifdef CONFIG_KLIPS_ENC_1DES
   { CIPHERNAME_1DES,     8,  64,  64, des_ede1, { ixt_common:{ ixt_support:{ ias_id: ESP_DES,}}}},
 #endif
+#ifdef CONFIG_KLIPS_ENC_NULL
+  { CIPHERNAME_NULL,     1,  0,  0, cipher_null, { ias_id: ESP_NULL,}},
+#endif
   { NULL, 0, 0, 0, NULL, {} }
 };
 
