<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Exchange Server">
<!-- converted from rtf -->
<style><!-- .EmailQuote { margin-left: 1pt; padding-left: 4pt; border-left: #800000 2px solid; } --></style>
</head>
<body>
<font face="Calibri" size="2"><span style="font-size:11pt;">
<div>Hi Noel,</div>
<div>Here is some output from ipsec statusall.</div>
<div> </div>
<div>Status of IKE charon daemon (<font color="red">strongSwan 5.1.1</font>, VOS OpenVOS Release 18.0.0af, i786):</div>
<div>...</div>
<div>loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey pem openssl fips-prf xcbc cmac hmac attr kernel-pfkey kernel-pfroute resolve socket-default stroke updown xauth-generic</div>
<div> </div>
<div>Here is some output from ipsec listall.</div>
<div> </div>
<div>List of registered IKE algorithms:</div>
<div> </div>
<div> encryption: DES_CBC[des] 3DES_CBC[des] IDEA_CBC[openssl] CAST_CBC[openssl] BLOWFISH_CBC[openssl] NULL[openssl]</div>
<div> AES_CBC[aes] CAMELLIA_CBC[openssl] DES_ECB[des] RC2_CBC[rc2]</div>
<div> integrity: HMAC_MD5_96[openssl] HMAC_SHA1_96[openssl] AES_XCBC_96[xcbc] HMAC_MD5_128[openssl] HMAC_SHA1_160[openssl]</div>
<div> AES_CMAC_96[cmac] HMAC_SHA2_256_128[openssl] HMAC_SHA2_384_192[openssl] HMAC_SHA2_512_256[openssl]</div>
<div> HMAC_SHA1_128[openssl] HMAC_SHA2_256_256[openssl] HMAC_SHA2_384_384[openssl] HMAC_SHA2_512_512[openssl]</div>
<div> CAMELLIA_XCBC_96[xcbc]</div>
<div> aead: AES_GCM_8[openssl] AES_GCM_12[openssl] AES_GCM_16[openssl]</div>
<div> hasher: HASH_MD4[openssl] HASH_MD5[md5] HASH_SHA1[sha1] HASH_SHA224[sha2] HASH_SHA256[sha2] HASH_SHA384[sha2]</div>
<div> HASH_SHA512[sha2]</div>
<div> prf: PRF_HMAC_MD5[openssl] PRF_HMAC_SHA1[openssl] PRF_AES128_XCBC[xcbc] <font color="red">PRF_HMAC_SHA2_256[openssl]</font></div>
<div><font color="red"> PRF_HMAC_SHA2_384[openssl] PRF_HMAC_SHA2_512[openssl]<font color="black"> PRF_AES128_CMAC[cmac] PRF_FIPS_SHA1_160[fips-prf]</font></font></div>
<div> PRF_KEYED_SHA1[sha1] PRF_CAMELLIA128_XCBC[xcbc]</div>
<div> dh-group: MODP_768[openssl] MODP_1024[openssl] MODP_1536[openssl] MODP_2048[openssl] MODP_3072[openssl]</div>
<div> MODP_4096[openssl] MODP_6144[openssl] MODP_8192[openssl] ECP_256[openssl] ECP_384[openssl]</div>
<div> ECP_521[openssl] MODP_1024_160[openssl] MODP_2048_224[openssl] MODP_2048_256[openssl] ECP_192[openssl]</div>
<div> ECP_224[openssl] ECP_224_BP[openssl] ECP_256_BP[openssl] ECP_384_BP[openssl] ECP_512_BP[openssl]</div>
<div> MODP_CUSTOM[openssl]</div>
<div> random-gen: RNG_WEAK[openssl] RNG_STRONG[random] RNG_TRUE[random]</div>
<div> nonce-gen: [nonce]</div>
<div> </div>
<div> </div>
<div>Here is just very simple connection.</div>
<div> </div>
<div>conn test_14</div>
<div> left=10.2.14.122</div>
<div> leftauth=pubkey</div>
<div> leftcert=test_2.14_cert_ipv4.der</div>
<div> right=10.2.14.120</div>
<div> esp=aes128-sha256-modp2048!</div>
<div> ike=aes128-sha512-modp2048!</div>
<div> keyingtries=8</div>
<div> rightauth=pubkey</div>
<div> </div>
<div> </div>
<div>It looks like both openssl and hmac supports that. Should I try load hmac first? How do I change that order?</div>
<div> </div>
<div>Thanks!</div>
<div>Bettina</div>
<div> </div>
<div>-----Original Message-----<br>
From: Noel Kuntze [<a href="mailto:noel@familie-kuntze.de">mailto:noel@familie-kuntze.de</a>]
<br>
Sent: Friday, March 27, 2015 11:19 AM<br>
To: Ko, HsuenJu; users@lists.strongswan.org<br>
Subject: Re: [strongSwan] failure with ike using sha2</div>
<div> </div>
<div>-----BEGIN PGP SIGNED MESSAGE-----</div>
<div>Hash: SHA256</div>
<div> </div>
<div>Hello Bettina,</div>
<div> </div>
<div>First, you have to find out what plugin currently provides those algorithms.</div>
<div>Do that by examining the list of loaded plugins in the output of "ipsec statusall".</div>
<div>On my box, sha1 and sha2 can be either supplied by the af-alg, hmac or openssl plugin.</div>
<div>The plugin which is loaded first supplies them.</div>
<div> </div>
<div>To make your life easier, I advise to post the list of loaded plugins here, so we can look at it and help you.</div>
<div>Furthermore, please state what version of strongswan you are using and what the content of your strongswan.conf is.</div>
<div> </div>
<div>Mit freundlichen Grüßen/Regards,</div>
<div>Noel Kuntze</div>
<div> </div>
<div>Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658</div>
<div> </div>
<div>Am 27.03.2015 um 16:12 schrieb Ko, HsuenJu:</div>
<div>> Hi,</div>
<div>> Thanks for the information. How do I find out which plugin to try?</div>
<div>> </div>
<div>> </div>
<div>> Bettina</div>
<div>> </div>
<div>> -----Original Message-----</div>
<div>> From: <a href="mailto:users-bounces@lists.strongswan.org">users-bounces@lists.strongswan.org</a> </div>
<div>> [<a href="mailto:users-bounces@lists.strongswan.org">mailto:users-bounces@lists.strongswan.org</a>] On Behalf Of Noel Kuntze</div>
<div>> Sent: Friday, March 27, 2015 11:12 AM</div>
<div>> To: <a href="mailto:users@lists.strongswan.org">users@lists.strongswan.org</a></div>
<div>> Subject: Re: [strongSwan] failure with ike using sha2</div>
<div>> </div>
<div>> Hello,</div>
<div>> </div>
<div>> That sounds like the plugin that provides those algorithms is broken.</div>
<div>> You can try to work around that by making charon load another plugin, which provides the PRF algorithms for those signature algorithms, before the one you are using right now.</div>
<div>> </div>
<div>> Mit freundlichen Grüßen/Regards,</div>
<div>> Noel Kuntze</div>
<div>> </div>
<div>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658</div>
<div>> </div>
<div>> Am 27.03.2015 um 16:05 schrieb Ko, HsuenJu:</div>
<div>>> Hi ,</div>
<div>> </div>
<div>>> I got error of “key derivation failed” when I configured ike using sha2. I don’t have problem with md5 or sha1. And I am using strongswan 5.1.1. Here is the corresponding log. Can someone tell me what I did wrong or is this a bug?</div>
<div>> </div>
<div>> </div>
<div>> </div>
<div>>> Thanks!</div>
<div>> </div>
<div>>> Bettina</div>
<div>> </div>
<div>> </div>
<div>> </div>
<div>> </div>
<div>> </div>
<div>>> ike=aes128-sha256-modp2048!</div>
<div>> </div>
<div>> </div>
<div>> </div>
<div>>> Mar 27 10:15:41 11[IKE] SKEYSEED => 32 bytes @ 0x41c89760</div>
<div>> </div>
<div>>> Mar 27 10:15:41 11[IKE] 0: 40 06 D6 2C 40 06 D8 24 40 F5 00 20 41 C7 BB 20 @..,@..$@.. A..</div>
<div>> </div>
<div>>> Mar 27 10:15:41 11[IKE] 16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................</div>
<div>> </div>
<div>>> Mar 27 10:15:41 11[IKE] key derivation failed</div>
<div>> </div>
<div>> </div>
<div>> </div>
<div>> </div>
<div>> </div>
<div>>> ike=aes128-sha384-modp2048!</div>
<div>> </div>
<div>> </div>
<div>> </div>
<div>>> Mar 27 10:46:03 09[IKE] SKEYSEED => 48 bytes @ 0x41c8bf70</div>
<div>> </div>
<div>>> Mar 27 10:46:03 09[IKE] 0: 43 36 20 31 35 20 31 34 20 30 42 20 38 38 20 36 C6 15 14 0B 88 6</div>
<div>> </div>
<div>>> Mar 27 10:46:03 09[IKE] 16: 46 20 43 38 20 38 45 20 35 34 20 42 44 20 38 42 F C8 8E 54 BD 8B</div>
<div>> </div>
<div>>> Mar 27 10:46:03 09[IKE] 32: 20 31 46 20 32 38 20 36 44 20 33 41 20 20 2E 2E 1F 28 6D 3A ..</div>
<div>> </div>
<div>>> Mar 27 10:46:03 09[IKE] key derivation failed</div>
<div>> </div>
<div>> </div>
<div>> </div>
<div>>> ike=aes128-sha512-modp2048!</div>
<div>> </div>
<div>> </div>
<div>> </div>
<div>>> Mar 27 10:48:17 09[IKE] SKEYSEED => 64 bytes @ 0x41c8bf70</div>
<div>> </div>
<div>>> Mar 27 10:48:17 09[IKE] 0: 31 45 20 38 33 20 31 33 20 38 39 20 31 36 20 34 1E 83 13 89 16 4</div>
<div>> </div>
<div>>> Mar 27 10:48:17 09[IKE] 16: 36 20 35 32 20 32 30 20 39 34 20 31 43 20 44 36 6 52 20 94 1C D6</div>
<div>> </div>
<div>>> Mar 27 10:48:17 09[IKE] 32: 20 38 39 20 37 38 20 42 43 20 39 41 20 20 69 2E 89 78 BC 9A i.</div>
<div>> </div>
<div>>> Mar 27 10:48:17 09[IKE] 48: 2E 2E 2E 2E 46 52 20 2E 2E 2E 2E 78 2E 2E 0A 20 ....FR ....x...</div>
<div>> </div>
<div>>> Mar 27 10:48:17 09[IKE] key derivation failed</div>
<div>> </div>
<div>> </div>
<div>> </div>
<div>>> _______________________________________________</div>
<div>>> Users mailing list</div>
<div>>> <a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a></div>
<div>>> <a href="https://lists.strongswan.org/mailman/listinfo/users">https://lists.strongswan.org/mailman/listinfo/users</a></div>
<div>> </div>
<div>> _______________________________________________</div>
<div>> Users mailing list</div>
<div>> <a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a></div>
<div>> <a href="https://lists.strongswan.org/mailman/listinfo/users">https://lists.strongswan.org/mailman/listinfo/users</a></div>
<div>> </div>
<div>-----BEGIN PGP SIGNATURE-----</div>
<div>Version: GnuPG v2</div>
<div> </div>
<div>iQIcBAEBCAAGBQJVFXTIAAoJEDg5KY9j7GZYXTMP/1egu5Gq35iybJ59jLi+hAf7</div>
<div>yqzvXCh0nZgOlS6G7bWVBwcRl1y+UT1tzcYcxg2WNHQHLoiCyawHMSBwtQalztMA</div>
<div>e9uKmieIMH2iEKuiv/pk34aP6hJ9ekv42Uo7r5Udj+VDgslyfw4Bc3KVRL75MVyb</div>
<div>b9rRV7JIBMfNhmC8mJk2DkLP34C50JuXMeIG3+8RehbP1NHLxUi4Pc5qHLOK3BGy</div>
<div>YkvckuBoynu90PR5WbkuVnn9c+ABQD218h8IDlHXwOD/Cyjdhg0j9qKsrJA7i9xy</div>
<div>VQ2RMvLQtzuFMdLJiBXGNlPFGWQEXMPyCQY5ZJWDeics6yTDNFyf7dKUDFLTDURk</div>
<div>GGADgcTFgAbyvmikZCaVC7EYlOVmIrH3OvkJIo5ZlVzvQ/nzzexnZe5Ldif95tns</div>
<div>iOGJIq6Tx9fYGm19bzs76btma8nFjZC+/mvESi5PnXhKFTCY69yzV2wOteuIichf</div>
<div>rtO7/j4V9UAWbnnFeQC0PRYYHDU0BvqjD7wLVZmeiU7ruHkB0t2a1g9ZIFpjIy3E</div>
<div>azfFWzZF4rJpeMP72c2Z6ZV2xjBXti0tOahbMFnBLmQOCcBCHrZP4Mn+P1nM8DTh</div>
<div>SLEbaIcLzp1LVnJgkJkV4r23+X8UEpY2uPNtW9Q/scGVsYTXc0y/SaDoRybBPUCm</div>
<div>TdT5SB+XCxJj4zCxOROs</div>
<div>=grsj</div>
<div>-----END PGP SIGNATURE-----</div>
<div> </div>
</span></font>
</body>
</html>