[strongSwan] does strongswan support ECDH for IKEv1?

Andreas Steffen andreas.steffen at strongswan.org
Tue Apr 27 10:06:48 CEST 2010


Hi Songling,

I suspect that even though you compiled the openssl plugin, this
plugin is not loaded during runtime. If you execute

   ipsec statusall

then the openssl plugin should be listed. You probably have an
explicit load = statement for the pluto daemon in strongswan.conf
where openssl is missing. For unexperienced users we recommend
not to use load statements but to use the default behaviour which
loads all enabled plugins.

Best regards

Andreas

On 27.04.2010 09:47, Songling Yang wrote:
> Hi all,
> Does anyone know how to turn on ECDH groups for IKEv1 negotiation in
> Strongswan? Here is what I did for my test and it didn’t work.
> 1/ Download latest strongswan tarball v4.3.6.
> 2/ Install strongswan.
> ./configure –enable-openssl
> make
> make install
> 3/ Configure p1 proposal with ecdh group for strongswan conn.
> ike=3des-sha1-ecp256
> 4/ Initiate peer connection with DH group 19. I got the following error
> from strongswan log.
> *****parsse ISAKMP oakley attribute:
> af+type: OAKLEY_GROUP_DESCRIPTION
> length/value: 19
> [19 is ECP_256]
> "ssg20" #1: ECP_256 is not supported.
> "ssg20" #1: no acceptable oakley transform
> "ssg20" #1: sending notification NO_PROPOSAL_CHOSE to 10.158.30.23:500
> 5/ Here is what I got from “sudo ipsec listalgs”. I don’t see ECC groups
> being listed.
> test:~/strongswan-4.3.6$ sudo ipsec version
> Linux strongSwan U4.3.6/K2.6.15-27-386
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil, Switzerland
> See 'ipsec --copyright' for copyright information.
> test:~/strongswan-4.3.6$ sudo ipsec listalgs
> 000
> 000 List of registered IKEv1 Algorithms:
> 000
> 000 encryption: 3DES_CBC AES_CBC
> 000 integrity: HMAC_MD5 HMAC_SHA1 HMAC_SHA2_256 HMAC_SHA2_384 HMAC_SHA2_512
> 000 dh-group: MODP_1024 MODP_1536 MODP_2048 MODP_3072 MODP_4096
> MODP_6144 MODP_8192
> 000
> 000 List of registered ESP Algorithms:
> 000
> 000 encryption: DES_CBC 3DES_CBC BLOWFISH_CBC NULL AES_CBC AES_CCM_8
> AES_CCM_12 AES_CCM_16 AES_GCM_8 AES_GCM_12 AES_GCM_16 SERPENT_CBC
> TWOFISH_CBC
> 000 integrity: HMAC_MD5 HMAC_SHA1 HMAC_SHA2_256 NULL HMAC_SHA2_256_96
> Thanks.
> Songling



-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==




More information about the Users mailing list