<div dir="ltr"><div><div><div><div>Hi,<br><br></div>Thanks for reply.<br><br></div>My kernel 2.6.18-128.el5<br><br></div>Also sha2 support is there.<br><br></div><div>output of 'grep sha2 /proc/crypto' is ----<br><br>
</div><div>name: sha256<br></div><div>driver: sha256-generic<br></div><div>module: sha256<br><br></div><div>Also I have tried lsmod and it is sha256 module is loaded<br></div><div>.<br></div><div>Output of lsmod-------------<br>
<br>Module Size Used by<br>sha256 15297 0 <br>xfrm4_mode_tunnel 6849 0 <br>krng 6081 1 <br>ansi_cprng 9413 0 <br>chainiv 9153 0 <br>
rng 7625 3 krng,ansi_cprng,chainiv<br>authenc 10433 0 <br>testmgr_cipher 6849 0 <br>des 20417 0 <br>cbc 8257 0 <br>md5 8129 0 <br>
hmac 8769 0 <br>crypto_hash 6337 1 hmac<br>testmgr 44593 1 testmgr_cipher<br>crypto_blkcipher 17601 4 chainiv,authenc,cbc,testmgr<br>cryptomgr 7617 0 <br>
deflate 7873 0 <br>zlib_deflate 21977 1 deflate<br>xfrm4_tunnel 6593 0 <br>tunnel4 7365 1 xfrm4_tunnel<br>ipcomp 11465 0 <br>esp4 12353 0 <br>
xfrm4_esp 9793 1 esp4<br>aead 11841 3 authenc,testmgr,esp4<br>crypto_algapi 22849 10 krng,ansi_cprng,chainiv,authenc,cbc,hmac,testmgr,crypto_blkcipher,cryptomgr,aead<br>ah4 10305 0 <br>
af_key 40785 0 <br>autofs4 24261 2 <br>hidp 23105 2 <br>rfcomm 42457 0 <br>l2cap 29505 10 hidp,rfcomm<br>bluetooth 53797 5 hidp,rfcomm,l2cap<br>
sunrpc 144765 1 <br>ipt_REJECT 9537 0 <br>ip6t_REJECT 9409 1 <br>xt_tcpudp 7105 6 <br>ip6table_filter 6849 1 <br>ip6_tables 18053 1 ip6table_filter<br>
x_tables 17349 4 ipt_REJECT,ip6t_REJECT,xt_tcpudp,ip6_tables<br>dm_multipath 24013 0 <br>scsi_dh 11713 1 dm_multipath<br>video 21193 0 <br>hwmon 7365 0 <br>
backlight 10049 1 video<br>sbs 18533 0 <br>i2c_ec 9025 1 sbs<br>button 10705 0 <br>battery 13637 0 <br>asus_acpi 19289 0 <br>
ac 9157 0 <br>ipv6 261473 31 ip6t_REJECT<br>xfrm_nalgo 13381 4 esp4,xfrm4_esp,ah4,ipv6<br>crypto_api 12609 9 rng,authenc,testmgr,crypto_blkcipher,esp4,aead,crypto_algapi,ah4,xfrm_nalgo<br>
lp 15849 0 <br>sg 36189 0 <br>snd_intel8x0 35421 1 <br>snd_ac97_codec 93025 1 snd_intel8x0<br>ac97_bus 6337 1 snd_ac97_codec<br>snd_seq_dummy 7877 0 <br>
snd_seq_oss 32577 0 <br>snd_seq_midi_event 11073 1 snd_seq_oss<br>snd_seq 49585 5 snd_seq_dummy,snd_seq_oss,snd_seq_midi_event<br>snd_seq_device 11725 3 snd_seq_dummy,snd_seq_oss,snd_seq<br>
snd_pcm_oss 42817 0 <br>ide_cd 40161 0 <br>snd_mixer_oss 19009 1 snd_pcm_oss<br>i2c_piix4 12237 0 <br>serio_raw 10693 0 <br>cdrom 36577 1 ide_cd<br>
i2c_core 23745 2 i2c_ec,i2c_piix4<br>snd_pcm 72133 3 snd_intel8x0,snd_ac97_codec,snd_pcm_oss<br>snd_timer 24517 2 snd_seq,snd_pcm<br>snd 55237 11 snd_intel8x0,snd_ac97_codec,snd_seq_oss,snd_seq,snd_seq_device,snd_pcm_oss,snd_mixer_oss,snd_pcm,snd_timer<br>
parport_pc 29157 0 <br>e1000 115285 0 <br>soundcore 11553 1 snd<br>pcspkr 7105 0 <br>parport 37513 2 lp,parport_pc<br>snd_page_alloc 14281 2 snd_intel8x0,snd_pcm<br>
dm_raid45 66509 0 <br>dm_message 6977 1 dm_raid45<br>dm_region_hash 15681 1 dm_raid45<br>dm_mem_cache 9537 1 dm_raid45<br>dm_snapshot 22245 0 <br>dm_zero 6209 0 <br>
dm_mirror 22981 0 <br>dm_log 14529 3 dm_raid45,dm_region_hash,dm_mirror<br>dm_mod 62201 11 dm_multipath,dm_raid45,dm_snapshot,dm_zero,dm_mirror,dm_log<br>ata_piix 23621 0 <br>
ahci 34377 2 <br>libata 156677 2 ata_piix,ahci<br>sd_mod 25153 3 <br>scsi_mod 141589 4 scsi_dh,sg,libata,sd_mod<br>ext3 124233 2 <br>jbd 56937 1 ext3<br>
uhci_hcd 25421 0 <br>ohci_hcd 24681 0 <br>ehci_hcd 33357 0 <br><br></div><div>Any help would be great.<br><br></div><div>Thanks and Regards,<br></div><div>Avishek Ganguly.<br></div>
<br></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Sep 17, 2013 at 2:13 AM, Thomas Egerer <span dir="ltr"><<a href="mailto:hakke_007@gmx.de" target="_blank">hakke_007@gmx.de</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="HOEnZb"><div class="h5">On 09/16/2013 03:44 PM, A Lee wrote:<br>
> Hi,<br>
><br>
> I have been trying to setup a ikev1 tunnel with ESP and authentication<br>
> algorithm SHA256.<br>
><br>
> The IKE tunnel is being created fine. But in quick mode exchange when it<br>
> receives the packet with Authentication algorithm as SHA256 (attribute<br>
> value 5), this error is happening.<br>
><br>
> According to strong swan documentation sha256 is supported.<br>
><br>
> Can anybody help me out with this one?<br>
><br>
> I am pasting portion of pluto log and also the ipsec.conf file.<br>
><br>
> PLUTO-LOG<br>
> ------------------<br>
><br>
> HASH(2) computed:<br>
> | af da 55 9b 5f 40 52 a8 b8 75 b3 04 67 c1 ec 1b<br>
> | 39 bc 5c ca 96 ae c1 10 4b fe bb d1 2f ea f6 27<br>
> | kernel_alg_esp_enc_keylen(): alg_id=3, keylen=24<br>
> | kernel_alg_esp_auth_keylen(auth=5, sadb_aalg=5): a_keylen=32<br>
> | KEYMAT computed:<br>
> | a4 85 19 78 5c a1 b7 2b b2 f4 ce ac fd 50 6e 12<br>
> | f5 dc 18 9a ac fc 2d 38 08 da ba 4d 80 40 2e f3<br>
> | b8 50 7a 33 2b 96 9b 3e 6a ff c1 9a f5 6e d1 20<br>
> | 20 72 6e d7 7f d9 66 15<br>
> | install_inbound_ipsec_sa() checking if we can route<br>
> | route owner of "conn1" unrouted: NULL; eroute owner: NULL<br>
> | kernel_alg_esp_info():transid=3, auth=5, ei=0x80b7ae8, enckeylen=24,<br>
> authkeylen=32, encryptalg=3, authalg=5<br>
> | adding SAD entry with SPI c5ad47ee and reqid {16384}<br>
> | using encryption algorithm 3DES_CBC with key size 192<br>
> | using integrity algorithm HMAC_SHA2_256_128 with key size 256<br>
> | sending XFRM_MSG_UPDSA: => 440 bytes @ 0xbff65fd8<br>
> 0: B8 01 00 00 1A 00 05 00 CA 00 00 00 12 24 00 00 .............$..<br>
> 16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br>
> 32: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br>
> 48: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br>
> 64: 00 00 00 00 00 00 00 00 0A 0A 0A 14 00 00 00 00 ................<br>
> 80: 00 00 00 00 00 00 00 00 C5 AD 47 EE 32 00 00 00 ..........G.2...<br>
> 96: 0A 0A 0A 32 00 00 00 00 00 00 00 00 00 00 00 00 ...2............<br>
> 112: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................<br>
> 128: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................<br>
> 144: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br>
> 160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br>
> 176: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br>
> 192: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br>
> 208: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br>
> 224: 00 40 00 00 02 00 01 20 20 00 00 00 60 00 02 00 .@..... ...`...<br>
> 240: 64 65 73 33 5F 65 64 65 00 00 00 00 00 00 00 00 des3_ede........<br>
> 256: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br>
> 272: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br>
> 288: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br>
> 304: C0 00 00 00 A4 85 19 78 5C A1 B7 2B B2 F4 CE AC .......x\..+....<br>
> 320: FD 50 6E 12 F5 DC 18 9A AC FC 2D 38 6C 00 14 00 .Pn.......-8l...<br>
> 336: 68 6D 61 63 28 73 68 61 32 35 36 29 00 00 00 00 hmac(sha256)....<br>
> 352: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br>
> 368: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br>
> 384: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br>
> 400: 00 01 00 00 80 00 00 00 08 DA BA 4D 80 40 2E F3 ...........M.@..<br>
> 416: B8 50 7A 33 2B 96 9B 3E 6A FF C1 9A F5 6E D1 20 .Pz3+..>j....n.<br>
> 432: 20 72 6E D7 7F D9 66 15 rn...f.<br>
> received netlink error: Invalid argument (22)<br>
> unable to add SAD entry with SPI c5ad47ee<br>
> | state transition function for STATE_QUICK_R0 had internal error<br>
> | next event EVENT_SO_DISCARD in 0 seconds for #2<br>
> |<br>
> | *time to handle event<br>
> | event after this is EVENT_SA_REPLACE in 1165 seconds<br>
> | ICOOKIE: 85 22 00 00 85 22 00 00<br>
> | RCOOKIE: 3b 12 6a 76 de 5f 2c 0c<br>
> | peer: 0a 0a 0a 32<br>
> | state hash entry 22<br>
> | next event EVENT_SA_REPLACE in 1165 seconds for #1<br>
> | received a XFRM_MSG_EXPIRE<br>
> |<br>
><br>
> ipsec.conf<br>
> ----------------<br>
> config setup<br>
> interfaces="ipsec0=eth1"<br>
> klipsdebug=all<br>
> uniqueids=yes<br>
> charonstart=no<br>
> plutodebug=all<br>
> plutostart=yes<br>
> plutostderrlog="/etc/pluto.log"<br>
> conn %default<br>
> ikelifetime=20m<br>
> keylife=10m<br>
> rekeymargin=1m<br>
> keyingtries=1<br>
> forceencaps=yes<br>
> reauth=no<br>
> mobike=no<br>
> conn conn1<br>
> type=tunnel<br>
> left=10.10.10.20<br>
> leftid=%any<br>
> leftsubnet=<a href="http://20.0.2.20/32" target="_blank">20.0.2.20/32</a><br>
> right=10.10.10.50<br>
> rightid=%any<br>
> pfs=no<br>
> pfsgroup=modp1024<br>
> ike=3des-sha256-modp1024<br>
> esp=3des-sha256-modp1024<br>
> auto=add<br>
> auth=esp<br>
> authby=secret<br>
> keyexchange=ikev1<br>
</div></div>Hi,<br>
<br>
which kernel-version are you using (uname -v), and is there<br>
a chance you don't have sha2 support enabled in your kernel?<br>
Try 'grep sha2 /proc/crypto'<br>
<br>
Cheers,<br>
Thomas<br>
</blockquote></div><br></div>