[strongSwan] many cipher/hash modes seems to be unavailable

Troy Telford ttelford.groups at gmail.com
Sun Oct 3 08:17:22 CEST 2010


On 2010-10-02 18:21:38 -0600, Christoph Anton Mitterer said:

> Hi.
> 
> I'm using the Debian sid version of strongswan (without the ikev1
> package).
> I wanted to use
> ike = aes256gcm128-sha512-modp2048
> esp = aes256gcm128-sha512-modp2048
> 
> but if I set this on both hosts (host-to-host scenario with tunnel mode)
> no tunnel seem to be set up.
> 
> ipsec listall also shows me just these:
> List of registered IKEv2 Algorithms:
> 
>   encryption: AES_CBC 3DES_CBC DES_CBC DES_ECB CAMELLIA_CBC RC5_CBC
> IDEA_CBC CAST_CBC BLOWFISH_CBC NULL
>   integrity:  AES_XCBC_96 HMAC_SHA1_96 HMAC_SHA1_128 HMAC_SHA1_160
> HMAC_SHA2_256_128 HMAC_MD5_96 HMAC_MD5_128 HMAC_SHA2_384_192
> HMAC_SHA2_512_256
>   hasher:     HASH_SHA1 HASH_SHA224 HASH_SHA256 HASH_SHA384 HASH_SHA512
> HASH_MD5 HASH_MD2 HASH_MD4
>   prf:        PRF_KEYED_SHA1 PRF_FIPS_SHA1_160 PRF_AES128_XCBC
> PRF_HMAC_SHA2_256 PRF_HMAC_SHA1 PRF_HMAC_MD5 PRF_HMAC_SHA2_384
> PRF_HMAC_SHA2_512
>   dh-group:   MODP_2048 MODP_2048_224 MODP_2048_256 MODP_1536 ECP_256
> ECP_384 ECP_521 ECP_224 ECP_192 MODP_3072 MODP_4096 MODP_6144 MODP_8192
> MODP_1024 MODP_1024_160 MODP_768
> 
> 
> What about all the GCM and CCM modes listed here:
> http://wiki.strongswan.org/projects/strongswan/wiki/IKEv2CipherSuites ?

One problem is that you need support for the ciphers to be compiled 
into strongswan - whether it depends on the crypto library it's linked 
against, or what I'm not certain.  Debian may simply not be compiled 
with those ciphers enabled.
-- 
Troy Telford






More information about the Users mailing list