<div dir="ltr"><div><div><div><div><div><div><div><div>Hi,<br><br></div>I have been trying to setup a ikev1 tunnel with ESP and authentication algorithm SHA256.<br><br></div>The IKE tunnel is being created fine. But in quick mode exchange when it receives the packet with Authentication algorithm as SHA256 (attribute value 5), this error is happening. <br>
<br></div>According to strong swan documentation sha256 is supported. <br><br></div>Can anybody help me out with this one?<br><br></div>I am pasting portion of pluto log and also the ipsec.conf file.<br><br></div>PLUTO-LOG<br>
------------------<br><br> HASH(2) computed:<br>| af da 55 9b 5f 40 52 a8 b8 75 b3 04 67 c1 ec 1b<br>| 39 bc 5c ca 96 ae c1 10 4b fe bb d1 2f ea f6 27<br>| kernel_alg_esp_enc_keylen(): alg_id=3, keylen=24<br>| kernel_alg_esp_auth_keylen(auth=5, sadb_aalg=5): a_keylen=32<br>
| KEYMAT computed:<br>| a4 85 19 78 5c a1 b7 2b b2 f4 ce ac fd 50 6e 12<br>| f5 dc 18 9a ac fc 2d 38 08 da ba 4d 80 40 2e f3<br>| b8 50 7a 33 2b 96 9b 3e 6a ff c1 9a f5 6e d1 20<br>| 20 72 6e d7 7f d9 66 15<br>
| install_inbound_ipsec_sa() checking if we can route<br>| route owner of "conn1" unrouted: NULL; eroute owner: NULL<br>| kernel_alg_esp_info():transid=3, auth=5, ei=0x80b7ae8, enckeylen=24, authkeylen=32, encryptalg=3, authalg=5<br>
| adding SAD entry with SPI c5ad47ee and reqid {16384}<br>| using encryption algorithm 3DES_CBC with key size 192<br>| using integrity algorithm HMAC_SHA2_256_128 with key size 256<br>| sending XFRM_MSG_UPDSA: => 440 bytes @ 0xbff65fd8<br>
0: B8 01 00 00 1A 00 05 00 CA 00 00 00 12 24 00 00 .............$..<br> 16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br> 32: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br>
48: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br> 64: 00 00 00 00 00 00 00 00 0A 0A 0A 14 00 00 00 00 ................<br> 80: 00 00 00 00 00 00 00 00 C5 AD 47 EE 32 00 00 00 ..........G.2...<br>
96: 0A 0A 0A 32 00 00 00 00 00 00 00 00 00 00 00 00 ...2............<br> 112: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................<br> 128: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................<br>
144: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br> 160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br> 176: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br>
192: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br> 208: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br> 224: 00 40 00 00 02 00 01 20 20 00 00 00 60 00 02 00 .@..... ...`...<br>
240: 64 65 73 33 5F 65 64 65 00 00 00 00 00 00 00 00 des3_ede........<br> 256: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br> 272: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br>
288: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br> 304: C0 00 00 00 A4 85 19 78 5C A1 B7 2B B2 F4 CE AC .......x\..+....<br> 320: FD 50 6E 12 F5 DC 18 9A AC FC 2D 38 6C 00 14 00 .Pn.......-8l...<br>
336: 68 6D 61 63 28 73 68 61 32 35 36 29 00 00 00 00 hmac(sha256)....<br> 352: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br> 368: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br>
384: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br> 400: 00 01 00 00 80 00 00 00 08 DA BA 4D 80 40 2E F3 ...........M.@..<br> 416: B8 50 7A 33 2B 96 9B 3E 6A FF C1 9A F5 6E D1 20 .Pz3+..>j....n. <br>
432: 20 72 6E D7 7F D9 66 15 rn...f.<br>received netlink error: Invalid argument (22)<br>unable to add SAD entry with SPI c5ad47ee<br>| state transition function for STATE_QUICK_R0 had internal error<br>
| next event EVENT_SO_DISCARD in 0 seconds for #2<br>| <br>| *time to handle event<br>| event after this is EVENT_SA_REPLACE in 1165 seconds<br>| ICOOKIE: 85 22 00 00 85 22 00 00<br>| RCOOKIE: 3b 12 6a 76 de 5f 2c 0c<br>
| peer: 0a 0a 0a 32<br>| state hash entry 22<br>| next event EVENT_SA_REPLACE in 1165 seconds for #1<br>| received a XFRM_MSG_EXPIRE<br>| <br><br></div>ipsec.conf<br>----------------<br>config setup<br> interfaces="ipsec0=eth1"<br>
klipsdebug=all<br> uniqueids=yes<br> charonstart=no<br> plutodebug=all<br> plutostart=yes<br> plutostderrlog="/etc/pluto.log"<br>conn %default<br> ikelifetime=20m<br> keylife=10m<br>
rekeymargin=1m<br> keyingtries=1<br> forceencaps=yes<br> reauth=no<br> mobike=no<br>conn conn1<br> type=tunnel<br> left=10.10.10.20<br> leftid=%any<br> leftsubnet=<a href="http://20.0.2.20/32">20.0.2.20/32</a><br>
right=10.10.10.50<br> rightid=%any<br> pfs=no<br> pfsgroup=modp1024<br> ike=3des-sha256-modp1024<br> esp=3des-sha256-modp1024<br> auto=add<br> auth=esp<br> authby=secret<br> keyexchange=ikev1<br><br></div>Thanks and Regards,<br>
Avishek Ganguly<br><div><br><br><div><div><br><br></div></div></div></div>