IPSEC AES key length in kernel 3.9.3

Question

I have a working ipsec-tools configuration which uses aes-ctr encryption with 224-bit key (192bit for key+32bit for nonce). Everything works well on 3.2.0 kernel.

Here's what man setkey says about the key length:

   aes-ctr         160/224/288     draft-ietf-ipsec-ciph-aes-ctr-03

Now, on 3.9.3 kernel the same config results in

line 3: Not supported at [0xb852255497778bb093ea86d9f1474ec7c83822f0e2b64312657a9a06]
parse failed, line 3.

The same message I've seen before when moving from some old kernel to 3.2.0 - it dropped 160-bit keys and and switching to 224 bit resolved the problem. Now, on 3.9.3 any key length I try results in the same error message. What is the key length that will work in 3.9.3 ? Did they drop AES-CTR and I should use different algorithm ? I'm out of ideas...

setkey version is 0.8.0 on both kernels. Ubuntu precise.

Found this bug report: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=642284 — Sandman4, Jun 23 '13 at 22:55
Oh, dear. How 3.9.3 got into my ubuntu 12.04 system ?! 3.9.3 will be in ubuntu 13.10, which is not reached Alpha 1 yet. — Sandman4, Jun 23 '13 at 23:18

Sandman4 · Answer 1 · 2013-06-24T03:08:55.833

1

It is probably a bug in 3.9.3 kernel.

3.9.3 kernel is not packaged with ubuntu 12.04 (precise), it is someone's especial mistake to have it installed with 12.04. 3.9.3 kernel is going to be available with ubuntu 13.10 (saucy) only

edited Jun 24 '13 at 03:08

answered Jun 23 '13 at 23:26

Sandman4

4,077
2
21
27

IPSEC AES key length in kernel 3.9.3

1 Answers1