<html><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:12pt"><div><font face="Times New Roman">
</font></div><div style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>Hi All,</span></div><div><font face="Times New Roman">
</font></div><div style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>I am using the load tester plugin (strongswan 5.0.4) to create
thousands of IPsec tunnels. I find, the tunnel setup rate is to be 125-130
tunnels per second. To use the ECDH (foe enhanced setup rate), I built the
strongswan with. /configure --prefix /usr --sysconfdir=/etc --enable-openssl –disable-gmp
– option. <span style="mso-spacerun: yes;"> </span>I think, these DH groups are
available with strongSwan if enabled with the openssl plugin.</span></div><div><font face="Times New Roman">
</font></div><div style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>I have configured the following IPsec transform sets as
follows</span></div><div><font face="Times New Roman">
</font></div><div style="margin: 0in 0in 10pt;"><u><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>In conn %default section of Ipsec.conf (IKE
Responder)</span></u></div><div><font face="Times New Roman">
</font></div><div style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>ike=aes128-sha1-ecp192! </span></div><div><font face="Times New Roman">
</font></div><div style="margin: 0in 0in 10pt;"><u><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>In load-tester section of strongswan.conf (IKE Initiator)</span></u></div><div><font face="Times New Roman">
</font></div><div style="margin: 0in 0in 10pt;"><u><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>proposal = aes128-sha1-ecp192</span></u></div><div><font face="Times New Roman">
</font></div><div style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>But when trying to run from console (using #ipsec start –nofork),
the following <span style="mso-spacerun: yes;"> </span>error message is appeared
at IKE initiator end</span></div><div><font face="Times New Roman">
</font></div><div style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>"09[MGR] <load-test|1> tried to check-in and delete
nonexisting IKE_SA"</span></div><div><font face="Times New Roman">
</font></div><div style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>Thereafter </span><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>I checked the List of registered IKE algorithms and DH group using
#ipsec listalgs and found the followings</span></div><div style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'> </span><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>List of registered IKE algorithms:</span></div><div><font face="Times New Roman">
</font></div><div style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span></span><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span>dh-group:<span style="mso-spacerun: yes;"> </span>MODP_2048[openssl] MODP_2048_224[openssl]
MODP_2048_256[openssl] MODP_1536[openssl] MODP_3072[openssl]</span></div><div><font face="Times New Roman">
</font></div><div style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;">
</span>MODP_4096[openssl] MODP_6144[openssl] MODP_8192[openssl]
MODP_1024[openssl] MODP_1024_160[openssl]</span></div><div><font face="Times New Roman">
</font></div><div style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;">
</span>MODP_768[openssl] MODP_CUSTOM[openssl] MODP_NULL[load-tester]</span></div><div><font face="Times New Roman">
</font></div><div style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span>random-gen:
RNG_STRONG[random] RNG_TRUE[random] RNG_WEAK[openssl]</span></div><div><font face="Times New Roman">
</font></div><div style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span>nonce-gen:<span style="mso-spacerun: yes;"> </span>[nonce] <span style="mso-spacerun: yes;"> </span></span></div><div><font face="Times New Roman">
</font></div><div style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>Similarly checked the SSL ciphers supported via OpenSSL>
ciphers command but did not find the elliptic curve Diffie-Hellman group. I am
using the Fedora Linux (2.6.33.3-85.fc13.i686) and the version of OpenSSL is 1.0.0d-fips
8 Feb 2011 .</span></div><div><font face="Times New Roman">
</font></div><div style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>Can anyone please suggest how to enable the Elliptic curve
Diffie–Hellman in openSSL? Please correct me if I am not in right track. Please
feel free to let me know if I have missed anything. Thanks in advance for your
support and response.</span></div><div><font face="Times New Roman">
</font></div><div style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'> </span></div><div><font face="Times New Roman">
</font></div><div style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>Regards,</span></div><div><font face="Times New Roman">
</font></div><div style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>Chinmaya</span></div><div><font face="Times New Roman">
</font></div></div></body></html>