<div dir="ltr"><div><div><div><div><div><div><div><div><div>Hi,<br><br></div><div>Thanks for the suggestions you provided.<br><br></div>The suggestion you provided -----<br></div><br>a) change kernel version.<br></div>b) downgrade strongswan to 4.3.9.<br>
</div>c) rebuild the code with the solution provided.<br><br><br></div>I have tried b) and c) but the same error persists.<br><br></div>for b) i have installed version 4.3.7.<br><br></div>I guess i have to try option a) as only this is left.<br>
<br><br></div>Thanks and Regards,<br></div>Avishek Ganguly<br></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Sep 17, 2013 at 3:30 PM, <span dir="ltr"><<a href="mailto:users-request@lists.strongswan.org" target="_blank">users-request@lists.strongswan.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Send Users mailing list submissions to<br>
<a href="mailto:users@lists.strongswan.org">users@lists.strongswan.org</a><br>
<br>
To subscribe or unsubscribe via the World Wide Web, visit<br>
<a href="https://lists.strongswan.org/mailman/listinfo/users" target="_blank">https://lists.strongswan.org/mailman/listinfo/users</a><br>
or, via email, send a message with subject or body 'help' to<br>
<a href="mailto:users-request@lists.strongswan.org">users-request@lists.strongswan.org</a><br>
<br>
You can reach the person managing the list at<br>
<a href="mailto:users-owner@lists.strongswan.org">users-owner@lists.strongswan.org</a><br>
<br>
When replying, please edit your Subject line so it is more specific<br>
than "Re: Contents of Users digest..."<br>
<br>
<br>
Today's Topics:<br>
<br>
1. Re: Netlink error Invalid Argument(22) (Thomas Egerer)<br>
2. Re: IKev1 + eap-tls possible? (Martin Willi)<br>
<br>
<br>
----------------------------------------------------------------------<br>
<br>
Message: 1<br>
Date: Tue, 17 Sep 2013 08:43:52 +0200<br>
From: Thomas Egerer <<a href="mailto:hakke_007@gmx.de">hakke_007@gmx.de</a>><br>
Subject: Re: [strongSwan] Netlink error Invalid Argument(22)<br>
To: A Lee <<a href="mailto:aganguly14@gmail.com">aganguly14@gmail.com</a>><br>
Cc: <a href="mailto:users@lists.strongswan.org">users@lists.strongswan.org</a><br>
Message-ID: <<a href="mailto:5237FA28.7070509@gmx.de">5237FA28.7070509@gmx.de</a>><br>
Content-Type: text/plain; charset=ISO-8859-1<br>
<br>
On 09/17/2013 05:45 AM, A Lee wrote:<br>
> Hi,<br>
><br>
> Thanks for suggestion.<br>
><br>
> Kernel module for sha256 is already there and also loaded.<br>
><br>
> My kernel 2.6.18-128.el5<br>
><br>
> Also sha2 support is there.<br>
><br>
> output of 'grep sha2 /proc/crypto' is ----<br>
><br>
> name: sha256 driver: sha256-generic module: sha256<br>
Hi,<br>
<br>
charon request the crypto algorithm 'hmac(sha256)' (this was<br>
changed with 4.3.6), while your kernel algorithm list for ipsec<br>
(xfrm) provides this algorithm under the name 'sha256'.<br>
Bottom line is, you need to<br>
a) update your kernel to at least 2.6.19,<br>
b) downgrade your strongswan version to 4.3.5,<br>
c) modify your strongswan-source and rebuild like this:<br>
<br>
diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c<br>
index 2f8cb6b..9a1330f 100644<br>
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c<br>
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c<br>
@@ -211,7 +211,7 @@ static kernel_algorithm_t integrity_algs[] = {<br>
{AUTH_HMAC_SHA1_96, "sha1" },<br>
{AUTH_HMAC_SHA1_160, "hmac(sha1)" },<br>
{AUTH_HMAC_SHA2_256_96, "sha256" },<br>
- {AUTH_HMAC_SHA2_256_128, "hmac(sha256)" },<br>
+ {AUTH_HMAC_SHA2_256_128, "sha256" },<br>
{AUTH_HMAC_SHA2_384_192, "hmac(sha384)" },<br>
{AUTH_HMAC_SHA2_512_256, "hmac(sha512)" },<br>
/* {AUTH_DES_MAC, "***" }, */<br>
<br>
I would not recommend b), so if you really need to stick to your<br>
kernel-version, try option c).<br>
<br>
Hope that helps,<br>
<br>
Cheers,<br>
Thomas<br>
<br>
<br>
<br>
------------------------------<br>
<br>
Message: 2<br>
Date: Tue, 17 Sep 2013 10:13:13 +0200<br>
From: Martin Willi <<a href="mailto:martin@strongswan.org">martin@strongswan.org</a>><br>
Subject: Re: [strongSwan] IKev1 + eap-tls possible?<br>
To: WorkingMan <<a href="mailto:signup_mail2002@yahoo.com">signup_mail2002@yahoo.com</a>><br>
Cc: <a href="mailto:users@lists.strongswan.org">users@lists.strongswan.org</a><br>
Message-ID: <1379405593.2996.21.camel@martin><br>
Content-Type: text/plain; charset="UTF-8"<br>
<br>
Hi,<br>
<br>
> Is it possible to make ikev1 client (ex: ios) work with eap-radius and eap-<br>
> tls?<br>
<br>
No. IKEv1 does not use EAP, so you definitely can't run any EAP method<br>
between the client and the IPsec gateway.<br>
<br>
> Only xauth-eap seems to make ikev1 work with FreeRadius<br>
<br>
xauth-eap just takes XAuth credentials and verifies them over EAP. But<br>
this works only for passwords (or tokens), XAuth is not involved in<br>
IKEv1 certificate authentication.<br>
<br>
> I was thinking xauth-eap works fine except for the password part. Also I would<br>
> like the client certificate to be authenticated by RADIUS (so things are<br>
> centralized in one place for authentication).<br>
<br>
IKEv1 certificate authentication is part of the core IKEv1 protocol and<br>
not XAuth. There are currently no hooks in strongSwan to delegate<br>
signature verification to a third party, because this hardly makes<br>
sense.<br>
<br>
If you really need something like that, you could replace the IKEv1<br>
public key authenticator [1] by something that delegates verification to<br>
a third party.<br>
<br>
Instead of doing such a non-trivial extension, I'd recommend to do<br>
signature verification on the IPsec gateway, and use eap-radius just for<br>
accounting on your AAA server.<br>
<br>
Regards<br>
Martin<br>
<br>
[1]<a href="http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libcharon/sa/ikev1/authenticators/pubkey_v1_authenticator.c" target="_blank">http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libcharon/sa/ikev1/authenticators/pubkey_v1_authenticator.c</a><br>
<br>
<br>
<br>
<br>
------------------------------<br>
<br>
_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a><br>
<a href="https://lists.strongswan.org/mailman/listinfo/users" target="_blank">https://lists.strongswan.org/mailman/listinfo/users</a><br>
<br>
End of Users Digest, Vol 44, Issue 24<br>
*************************************<br>
</blockquote></div><br></div>