<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7655.1">
<TITLE>RE: [strongSwan] newbie qs. suite B with AES-GCM</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->
<P><FONT SIZE=2>Forgot to add ipsec statusall<BR>
-------carol----------------<BR>
~$ sudo ipsec statusall<BR>
Status of IKEv2 charon daemon (strongSwan 4.5.2):<BR>
uptime: 19 seconds, since Jan 05 11:09:05 2012<BR>
malloc: sbrk 135168, mmap 0, used 92312, free 42856<BR>
worker threads: 10 idle of 16, job queue load: 0, scheduled events: 0<BR>
loaded plugins: curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc gcm stroke kernel-netlink updown openssl<BR>
Listening IP addresses:<BR>
192.168.1.105<BR>
Connections:<BR>
home: 192.168.1.105...192.168.1.100<BR>
home: local: [carol@strongswan.org] uses public key authentication<BR>
home: remote: [moon.strongswan.org] uses any authentication<BR>
home: crl: status must be GOOD<BR>
home: child: dynamic === 10.1.0.0/16<BR>
Security Associations:<BR>
none<BR>
<BR>
-----Original Message-----<BR>
From: users-bounces+anil.philip=motorolasolutions.com@lists.strongswan.org on behalf of Philip Anil-QBW348<BR>
Sent: Thu 1/5/2012 10:52 AM<BR>
To: Andreas Steffen<BR>
Cc: users@lists.strongswan.org<BR>
Subject: Re: [strongSwan] newbie qs. suite B with AES-GCM<BR>
<BR>
Andreas,<BR>
I added openssl to the load command in strongswan.conf.<BR>
Still the same problem.<BR>
Anil<BR>
<BR>
-----------MOON----------------<BR>
anil@spg-strongswan:~$ sudo ipsec restart<BR>
Stopping strongSwan IPsec...<BR>
Starting strongSwan 4.5.2 IPsec [starter]...<BR>
!! Your strongswan.conf contains manual plugin load options for<BR>
!! pluto and/or charon. This is recommended for experts only, see<BR>
!! <A HREF="http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad">http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad</A><BR>
----------ipsec.conf-------------<BR>
# ipsec.conf - strongSwan IPsec configuration file<BR>
<BR>
# basic configuration<BR>
config setup<BR>
crlcheckinterval=180<BR>
strictcrlpolicy=yes<BR>
plutostart=no<BR>
<BR>
conn %default<BR>
ikelifetime=60m<BR>
keylife=20m<BR>
rekeymargin=3m<BR>
keyingtries=1<BR>
keyexchange=ikev2<BR>
ike=aes16-sha256-ecp256!<BR>
esp=aes128gcm128!<BR>
<BR>
conn rw<BR>
left=192.168.1.100<BR>
leftfirewall=yes<BR>
leftcert=moonCert.pem<BR>
leftid=@moon.strongswan.org<BR>
leftsubnet=10.1.0.0/16<BR>
right=%any<BR>
auto=add<BR>
<BR>
# config setup<BR>
# plutodebug=all<BR>
# crlcheckinterval=600<BR>
# strictcrlpolicy=yes<BR>
# cachecrls=yes<BR>
# nat_traversal=yes<BR>
# charonstart=yes<BR>
# plutostart=yes<BR>
<BR>
# Add connections here.<BR>
<BR>
# Sample VPN connections<BR>
<BR>
# conn sample-self-signed<BR>
# left=%defaultroute<BR>
# leftsubnet=10.1.0.0/16<BR>
# leftcert=selfCert.der<BR>
# leftsendcert=never<BR>
# right=192.168.0.2<BR>
# rightsubnet=10.2.0.0/16<BR>
# rightcert=peerCert.der<BR>
# auto=start<BR>
<BR>
# conn sample-with-ca-cert<BR>
# left=%defaultroute<BR>
# leftsubnet=10.1.0.0/16<BR>
# leftcert=myCert.pem<BR>
# right=192.168.0.2<BR>
# rightsubnet=10.2.0.0/16<BR>
# rightid="C=CH, O=Linux strongSwan CN=peer name"<BR>
# keyexchange=ikev2<BR>
# auto=start<BR>
<BR>
include /var/lib/strongswan/ipsec.conf.inc<BR>
----------------strongswan.conf------------------------<BR>
# strongswan.conf - strongSwan configuration file<BR>
<BR>
charon {<BR>
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc gcm stroke kernel-netlink socket-default updown openssl<BR>
<BR>
# number of worker threads in charon<BR>
threads = 16<BR>
<BR>
# send strongswan vendor ID?<BR>
# send_vendor_id = yes<BR>
<BR>
plugins {<BR>
<BR>
sql {<BR>
# loglevel to log into sql database<BR>
loglevel = -1<BR>
<BR>
# URI to the database<BR>
# database = sqlite:///path/to/file.db<BR>
# database = mysql://user:password@localhost/database<BR>
}<BR>
}<BR>
<BR>
# ...<BR>
}<BR>
<BR>
pluto {<BR>
<BR>
}<BR>
<BR>
libstrongswan {<BR>
<BR>
# set to no, the DH exponent size is optimized<BR>
# dh_exponent_ansi_x9_42 = no<BR>
}<BR>
<BR>
-------road warrior carol----------------<BR>
~$ ping 192.168.1.100<BR>
PING 192.168.1.100 (192.168.1.100) 56(84) bytes of data.<BR>
64 bytes from 192.168.1.100: icmp_req=1 ttl=64 time=5.87 ms<BR>
64 bytes from 192.168.1.100: icmp_req=2 ttl=64 time=3.81 ms<BR>
~$ sudo /etc/init.d/iptables start 2> /dev/null<BR>
~$ sudo ipsec restart<BR>
Stopping strongSwan IPsec...<BR>
Starting strongSwan 4.5.2 IPsec [starter]...<BR>
!! Your strongswan.conf contains manual plugin load options for<BR>
!! pluto and/or charon. This is recommended for experts only, see<BR>
!! <A HREF="http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad">http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad</A><BR>
~$ sudo ipsec up home<BR>
initiating IKE_SA home[1] to 192.168.1.100<BR>
configured DH group MODP_NONE not supported<BR>
tried to check-in and delete nonexisting IKE_SA<BR>
---------------------------<BR>
# strongswan.conf - strongSwan configuration file<BR>
<BR>
charon {<BR>
<BR>
# number of worker threads in charon<BR>
threads = 16<BR>
<BR>
# send strongswan vendor ID?<BR>
# send_vendor_id = yes<BR>
<BR>
plugins {<BR>
<BR>
sql {<BR>
# loglevel to log into sql database<BR>
loglevel = -1<BR>
<BR>
# URI to the database<BR>
# database = sqlite:///path/to/file.db<BR>
# database = mysql://user:password@localhost/database<BR>
}<BR>
}<BR>
<BR>
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc gcm stroke kernel-netlink socket-default updown openssl<BR>
# ...<BR>
}<BR>
<BR>
pluto {<BR>
<BR>
}<BR>
<BR>
libstrongswan {<BR>
<BR>
# set to no, the DH exponent size is optimized<BR>
# dh_exponent_ansi_x9_42 = no<BR>
}<BR>
---------------------------------------------------------------<BR>
# ipsec.conf - strongSwan IPsec configuration file<BR>
<BR>
# basic configuration<BR>
<BR>
config setup<BR>
# plutodebug=all<BR>
# crlcheckinterval=600<BR>
# strictcrlpolicy=yes<BR>
# cachecrls=yes<BR>
# nat_traversal=yes<BR>
charonstart=yes<BR>
# plutostart=yes<BR>
crlcheckinterval=180<BR>
strictcrlpolicy=yes<BR>
plutostart=no<BR>
<BR>
# Add connections here.<BR>
<BR>
# Sample VPN connections<BR>
<BR>
# conn sample-self-signed<BR>
# left=%defaultroute<BR>
# leftsubnet=10.1.0.0/16<BR>
# leftcert=selfCert.der<BR>
# leftsendcert=never<BR>
# right=192.168.0.2<BR>
# rightsubnet=10.2.0.0/16<BR>
# rightcert=peerCert.der<BR>
# auto=start<BR>
<BR>
# conn sample-with-ca-cert<BR>
# left=%defaultroute<BR>
# leftsubnet=10.1.0.0/16<BR>
# leftcert=myCert.pem<BR>
# right=192.168.0.2<BR>
# rightsubnet=10.2.0.0/16<BR>
# rightid="C=CH, O=Linux strongSwan CN=peer name"<BR>
# keyexchange=ikev2<BR>
# auto=start<BR>
<BR>
conn %default<BR>
ikelifetime=60m<BR>
keylife=20m<BR>
rekeymargin=3m<BR>
keyingtries=1<BR>
keyexchange=ikev2<BR>
ike=aes16-sha256-ecp256!<BR>
esp=aes128gcm128!<BR>
<BR>
conn home<BR>
left=192.168.1.105<BR>
leftfirewall=yes<BR>
leftcert=carolCert.pem<BR>
leftid=carol@strongswan.org<BR>
right=192.168.1.100<BR>
rightsubnet=10.1.0.0/16<BR>
rightid=@moon.strongswan.org<BR>
auto=add<BR>
<BR>
include /var/lib/strongswan/ipsec.conf.inc<BR>
<BR>
-----Original Message-----<BR>
From: Andreas Steffen [<A HREF="mailto:andreas.steffen@strongswan.org">mailto:andreas.steffen@strongswan.org</A>]<BR>
Sent: Wed 1/4/2012 11:03 PM<BR>
To: Philip Anil-QBW348<BR>
Cc: users@lists.strongswan.org<BR>
Subject: Re: [strongSwan] newbie qs. suite B with AES-GCM<BR>
<BR>
Just something came to my mind:<BR>
<BR>
Did you define an elliptic curve Diffie-Hellman group,<BR>
e.g. ecp256? If yes then you must load the openssl plugin<BR>
both on moon and carol which gives you ECC support.<BR>
<BR>
<BR>
</FONT>
</P>
</BODY>
</HTML>