<div>Thanks Tobias,</div>
<div> </div>
<div>Im actually trying to do esp=aes128cgm16!</div>
<div>Here's where I show off my ignorance.</div>
<div>How do you configure something like this on an Android client?</div>
<div>there doesn't seem to be an ipsec.conf file.</div>
<div> </div>
<div>Regards,</div>
<div>Bill</div>
<div> </div>
<div> </div>
<div>Hi Bill,<br><br>><i> Jan 12 12:11:24 14[CFG] received proposals:<br></i>><i> ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ<br></i>><i> Jan 12 12:11:24 14[CFG] configured proposals: ESP:AES_GCM_16_128/NO_EXT_SEQ<br>
</i>><i> Jan 12 12:11:24 14[IKE] no acceptable proposal found<br></i><br>You configured esp=aes128cgm16-sha256! on the gateway but did not do so<br>on the client. Therefore, the client sends its default proposal which<br>
does not include AES-GCM. Hence, no matching proposal is found.<br><br>Regards,<br>Tobias<br><br><br><br></div>
<div class="gmail_quote">On Thu, Jan 12, 2012 at 12:27 PM, william masson <span dir="ltr"><<a href="mailto:wemasson@gmail.com">wemasson@gmail.com</a>></span> wrote:<br>
<blockquote style="BORDER-LEFT:#ccc 1px solid;MARGIN:0px 0px 0px 0.8ex;PADDING-LEFT:1ex" class="gmail_quote">Hi Tobias,<br><br>Thanks for putting me on the right track.<br>I've enabled CONFIG_GCM, CONFIG_SHA256 in the android kernel and flashed the handset.<br>
I noticed that GCM is configured as a module in my Ubuntu server so I did a modprobe on it just to make sure it was loaded.<br>Still not connecting tho.<br><br>charon.log shows:<br><br>no acceptable ENCRYPTION_ALGORITHM found<br>
Jan 12 12:11:24 14[CFG] received proposals: ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ<br>Jan 12 12:11:24 14[CFG] configured proposals: ESP:AES_GCM_16_128/NO_EXT_SEQ<br>
Jan 12 12:11:24 14[IKE] no acceptable proposal found<br><br>any thoughts?<br>Regards,<br>Bill<br><br><br><br><pre>Hi Bill,<br><br>><i> I want to use the gcm block cypher. (esp=aes128cgm16!)<br>
</i>><i> I added gcm to the Android.mk in the strongswan_CHARON_PLUGINS list and<br></i>><i> also added it to the Android.mk in src/libstrongswan.<br></i><br>The gcm plugin you activated with the above is for strongSwan internal<br>
use with the key exchange protocol IKEv2 and not on the IPsec level with<br>ESP, which is what you want to enable with the esp= option. Since ESP<br>is handled by the Linux kernel you have to build your own kernel with<br>
CRYPTO_GCM enabled in the options. So if you don't want to actually use<br>AES-GCM with IKEv2 itself you don't have to do anything special when<br>building strongSwan.<br><br>><i> The server was configured using --enable-gcm option and an ipsec listall<br>
</i>><i> seems to confirm that the server supports it.<br></i><br>Same applies here, --enable-gcm only enables GCM for IKEv2. Depending<br>on the Linux distribution you use, GCM may already be enabled in the<br>default kernel.<br>
<br>Regards,<br>Tobias<br><br></pre><br></blockquote></div><br>