<div dir="ltr">Hi Andreas,<div><br></div><div>Does IKEv1 support SHA_256_96 for ESP ? I see that strongswan does not send out the integrity algorithm when configured as SHA-256_96 for IKEv1. However it works for IKEv2. </div><div><br></div><div>Thanks,</div><div>Lakshmi</div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Aug 12, 2016 at 9:26 AM, Andreas Steffen <span dir="ltr"><<a href="mailto:andreas.steffen@strongswan.org" target="_blank">andreas.steffen@strongswan.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Lakshmi,<br>
<br>
SHA-256 was implemented incorrectly for ESP with a 96 bit instead<br>
of the standard 128 bit truncation in Linux kernels older than<br>
2.6.33.<br>
<br>
Workarounds:<br>
<br>
1) Update to a kernel >= 2.6.33 (2.6.21 is ancient!)<br>
<br>
2) If you run strongSwan on both VPN end points you can select the<br>
incorrect non-standard 96 bit truncation size by configuring<br>
<br>
esp=aes128-sha256_96<br>
<br>
In order for this non-standard algorithm ID to be accepted it might<br>
also be necessary to activate the sending of the strongSwan vendor id<br>
by setting<br>
<br>
charon {<br>
send_vendor_id = yes<br>
}<br>
<br>
in /etc/strongswan.conf<br>
<br>
Regards<br>
<br>
Andreas<div><div class="h5"><br>
<br>
On 12.08.2016 03:04, Lakshmi Prasanna wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Experts,<br>
<br>
Need urgent help.<br>
<br>
When I try to use strongswan with SHA256, I see that the negotiation<br>
fails at child SA creation time. I am using<br>
strongSwan 5.1.3, Linux 2.6.21 version). Following is the log:<br>
<br>
arsed CREATE_CHILD_SA response 4 [ N(USE_TRANSP) SA No TSi TSr ]<br>
<br>
received netlink error: Invalid argument (22)<br>
<br>
unable to add SAD entry with SPI c28f19c1<br>
<br>
received netlink error: Invalid argument (22)<br>
<br>
unable to add SAD entry with SPI c088894f<br>
<br>
unable to install inbound and outbound IPsec SA (SAD) in kernel<br>
<br>
failed to establish CHILD_SA, keeping IKE_SA<br>
<br>
sending DELETE for ESP CHILD_SA with SPI c28f19c1<br>
<br>
<br>
I have already tried the changes mentioned in<br>
<a href="https://lists.strongswan.org/pipermail/users/2013-September/005203.html" rel="noreferrer" target="_blank">https://lists.strongswan.org/p<wbr>ipermail/users/2013-September/<wbr>005203.html</a><br>
and it doesnt seem to work.<br>
<br>
Is there any other fix for this issue?<br>
<br>
Rgds,<br>
<br>
Lakshmi<br>
<br>
</blockquote></div></div>
==============================<wbr>==============================<wbr>==========<br>
Andreas Steffen <a href="mailto:andreas.steffen@strongswan.org" target="_blank">andreas.steffen@strongswan.<wbr>org</a><br>
strongSwan - the Open Source VPN Solution! <a href="http://www.strongswan.org" rel="noreferrer" target="_blank">www.strongswan.org</a><br>
Institute for Internet Technologies and Applications<br>
University of Applied Sciences Rapperswil<br>
CH-8640 Rapperswil (Switzerland)<br>
==============================<wbr>=============================[<wbr>ITA-HSR]==<br>
<br>
</blockquote></div><br></div>