<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7655.1">
<TITLE>RE: [strongSwan] newbie qs. suite B with AES-GCM</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->

<P><FONT SIZE=2>Forgot to add ipsec statusall<BR>
-------carol----------------<BR>
~$ sudo ipsec statusall<BR>
Status of IKEv2 charon daemon (strongSwan 4.5.2):<BR>
  uptime: 19 seconds, since Jan 05 11:09:05 2012<BR>
  malloc: sbrk 135168, mmap 0, used 92312, free 42856<BR>
  worker threads: 10 idle of 16, job queue load: 0, scheduled events: 0<BR>
  loaded plugins: curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc gcm stroke kernel-netlink updown openssl<BR>
Listening IP addresses:<BR>
  192.168.1.105<BR>
Connections:<BR>
        home:  192.168.1.105...192.168.1.100<BR>
        home:   local:  [carol@strongswan.org] uses public key authentication<BR>
        home:   remote: [moon.strongswan.org] uses any authentication<BR>
        home:    crl:   status must be GOOD<BR>
        home:   child:  dynamic === 10.1.0.0/16<BR>
Security Associations:<BR>
  none<BR>
<BR>
-----Original Message-----<BR>
From: users-bounces+anil.philip=motorolasolutions.com@lists.strongswan.org on behalf of Philip Anil-QBW348<BR>
Sent: Thu 1/5/2012 10:52 AM<BR>
To: Andreas Steffen<BR>
Cc: users@lists.strongswan.org<BR>
Subject: Re: [strongSwan] newbie qs. suite B with AES-GCM<BR>
<BR>
Andreas,<BR>
I added openssl to the load command in strongswan.conf.<BR>
Still the same problem.<BR>
Anil<BR>
<BR>
-----------MOON----------------<BR>
anil@spg-strongswan:~$ sudo ipsec restart<BR>
Stopping strongSwan IPsec...<BR>
Starting strongSwan 4.5.2 IPsec [starter]...<BR>
!! Your strongswan.conf contains manual plugin load options for<BR>
!! pluto and/or charon. This is recommended for experts only, see<BR>
!! <A HREF="http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad">http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad</A><BR>
----------ipsec.conf-------------<BR>
# ipsec.conf - strongSwan IPsec configuration file<BR>
<BR>
# basic configuration<BR>
config setup<BR>
        crlcheckinterval=180<BR>
        strictcrlpolicy=yes<BR>
        plutostart=no<BR>
<BR>
conn %default<BR>
        ikelifetime=60m<BR>
        keylife=20m<BR>
        rekeymargin=3m<BR>
        keyingtries=1<BR>
        keyexchange=ikev2<BR>
        ike=aes16-sha256-ecp256!<BR>
        esp=aes128gcm128!<BR>
<BR>
conn rw<BR>
        left=192.168.1.100<BR>
        leftfirewall=yes<BR>
        leftcert=moonCert.pem<BR>
        leftid=@moon.strongswan.org<BR>
        leftsubnet=10.1.0.0/16<BR>
        right=%any<BR>
        auto=add<BR>
<BR>
# config setup<BR>
# plutodebug=all<BR>
# crlcheckinterval=600<BR>
# strictcrlpolicy=yes<BR>
# cachecrls=yes<BR>
# nat_traversal=yes<BR>
# charonstart=yes<BR>
# plutostart=yes<BR>
<BR>
# Add connections here.<BR>
<BR>
# Sample VPN connections<BR>
<BR>
# conn sample-self-signed<BR>
#      left=%defaultroute<BR>
#      leftsubnet=10.1.0.0/16<BR>
#      leftcert=selfCert.der<BR>
#      leftsendcert=never<BR>
#      right=192.168.0.2<BR>
#      rightsubnet=10.2.0.0/16<BR>
#      rightcert=peerCert.der<BR>
#      auto=start<BR>
<BR>
# conn sample-with-ca-cert<BR>
#      left=%defaultroute<BR>
#      leftsubnet=10.1.0.0/16<BR>
#      leftcert=myCert.pem<BR>
#      right=192.168.0.2<BR>
#      rightsubnet=10.2.0.0/16<BR>
#      rightid="C=CH, O=Linux strongSwan CN=peer name"<BR>
#      keyexchange=ikev2<BR>
#      auto=start<BR>
<BR>
include /var/lib/strongswan/ipsec.conf.inc<BR>
----------------strongswan.conf------------------------<BR>
# strongswan.conf - strongSwan configuration file<BR>
<BR>
charon {<BR>
  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc gcm stroke kernel-netlink socket-default updown openssl<BR>
<BR>
        # number of worker threads in charon<BR>
        threads = 16<BR>
<BR>
        # send strongswan vendor ID?<BR>
        # send_vendor_id = yes<BR>
<BR>
        plugins {<BR>
<BR>
                sql {<BR>
                        # loglevel to log into sql database<BR>
                        loglevel = -1<BR>
<BR>
                        # URI to the database<BR>
                        # database = sqlite:///path/to/file.db<BR>
                        # database = mysql://user:password@localhost/database<BR>
                }<BR>
        }<BR>
<BR>
        # ...<BR>
}<BR>
<BR>
pluto {<BR>
<BR>
}<BR>
<BR>
libstrongswan {<BR>
<BR>
        #  set to no, the DH exponent size is optimized<BR>
        #  dh_exponent_ansi_x9_42 = no<BR>
}<BR>
<BR>
-------road warrior carol----------------<BR>
~$ ping 192.168.1.100<BR>
PING 192.168.1.100 (192.168.1.100) 56(84) bytes of data.<BR>
64 bytes from 192.168.1.100: icmp_req=1 ttl=64 time=5.87 ms<BR>
64 bytes from 192.168.1.100: icmp_req=2 ttl=64 time=3.81 ms<BR>
~$ sudo /etc/init.d/iptables start 2> /dev/null<BR>
~$ sudo ipsec restart<BR>
Stopping strongSwan IPsec...<BR>
Starting strongSwan 4.5.2 IPsec [starter]...<BR>
!! Your strongswan.conf contains manual plugin load options for<BR>
!! pluto and/or charon. This is recommended for experts only, see<BR>
!! <A HREF="http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad">http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad</A><BR>
~$ sudo ipsec up home<BR>
initiating IKE_SA home[1] to 192.168.1.100<BR>
configured DH group MODP_NONE not supported<BR>
tried to check-in and delete nonexisting IKE_SA<BR>
---------------------------<BR>
# strongswan.conf - strongSwan configuration file<BR>
<BR>
charon {<BR>
<BR>
        # number of worker threads in charon<BR>
        threads = 16<BR>
<BR>
        # send strongswan vendor ID?<BR>
        # send_vendor_id = yes<BR>
<BR>
        plugins {<BR>
<BR>
                sql {<BR>
                        # loglevel to log into sql database<BR>
                        loglevel = -1<BR>
<BR>
                        # URI to the database<BR>
                        # database = sqlite:///path/to/file.db<BR>
                        # database = mysql://user:password@localhost/database<BR>
                }<BR>
        }<BR>
<BR>
  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc gcm stroke kernel-netlink socket-default updown openssl<BR>
        # ...<BR>
}<BR>
<BR>
pluto {<BR>
<BR>
}<BR>
<BR>
libstrongswan {<BR>
<BR>
        #  set to no, the DH exponent size is optimized<BR>
        #  dh_exponent_ansi_x9_42 = no<BR>
}<BR>
---------------------------------------------------------------<BR>
# ipsec.conf - strongSwan IPsec configuration file<BR>
<BR>
# basic configuration<BR>
<BR>
config setup<BR>
        # plutodebug=all<BR>
        # crlcheckinterval=600<BR>
        # strictcrlpolicy=yes<BR>
        # cachecrls=yes<BR>
        # nat_traversal=yes<BR>
        charonstart=yes<BR>
        # plutostart=yes<BR>
        crlcheckinterval=180<BR>
        strictcrlpolicy=yes<BR>
        plutostart=no<BR>
<BR>
# Add connections here.<BR>
<BR>
# Sample VPN connections<BR>
<BR>
# conn sample-self-signed<BR>
#      left=%defaultroute<BR>
#      leftsubnet=10.1.0.0/16<BR>
#      leftcert=selfCert.der<BR>
#      leftsendcert=never<BR>
#      right=192.168.0.2<BR>
#      rightsubnet=10.2.0.0/16<BR>
#      rightcert=peerCert.der<BR>
#      auto=start<BR>
<BR>
# conn sample-with-ca-cert<BR>
#      left=%defaultroute<BR>
#      leftsubnet=10.1.0.0/16<BR>
#      leftcert=myCert.pem<BR>
#      right=192.168.0.2<BR>
#      rightsubnet=10.2.0.0/16<BR>
#      rightid="C=CH, O=Linux strongSwan CN=peer name"<BR>
#      keyexchange=ikev2<BR>
#      auto=start<BR>
<BR>
conn %default<BR>
        ikelifetime=60m<BR>
        keylife=20m<BR>
        rekeymargin=3m<BR>
        keyingtries=1<BR>
        keyexchange=ikev2<BR>
        ike=aes16-sha256-ecp256!<BR>
        esp=aes128gcm128!<BR>
<BR>
conn home<BR>
        left=192.168.1.105<BR>
        leftfirewall=yes<BR>
        leftcert=carolCert.pem<BR>
        leftid=carol@strongswan.org<BR>
        right=192.168.1.100<BR>
        rightsubnet=10.1.0.0/16<BR>
        rightid=@moon.strongswan.org<BR>
        auto=add<BR>
<BR>
include /var/lib/strongswan/ipsec.conf.inc<BR>
<BR>
-----Original Message-----<BR>
From: Andreas Steffen [<A HREF="mailto:andreas.steffen@strongswan.org">mailto:andreas.steffen@strongswan.org</A>]<BR>
Sent: Wed 1/4/2012 11:03 PM<BR>
To: Philip Anil-QBW348<BR>
Cc: users@lists.strongswan.org<BR>
Subject: Re: [strongSwan] newbie qs. suite B with AES-GCM<BR>
<BR>
Just something came to my mind:<BR>
<BR>
Did you define an elliptic curve Diffie-Hellman group,<BR>
e.g. ecp256? If yes then you must load the openssl plugin<BR>
both on moon and carol which gives you ECC support.<BR>
<BR>
<BR>
</FONT>
</P>

</BODY>
</HTML>