[strongSwan] PSK_with_ideal_keys, charon_crashes_with_8m_keylife_?

o Encryptos encryptos at gmail.com
Tue Mar 22 15:40:02 CET 2011


Hi Martin,

thank you for your fast reply.


2011/3/21 Martin Willi <martin at strongswan.org>

> Hi Nikos,
>
> > How could I take advantage of the "given ideal keys" ?
> > Is it possible to use the DH derived keys as an index to the pool of
> > those "ideal keys"?
>
> The IKEv2 protocol uses the DH exchange as a base to derive the
> cryptographic keys. With PSK authentication, the PSKs are not part of
> the key derivation, but only used for peer authentication.
>
> So at least an IKEv2 compatible implementation can't use the PSK keys
> directly to derive key material from. You could set up your SAs manually
> using these keys, or feed in your "ideal" key material to the DH
> exchange. Depends on what you actually want to achieve.
>
>
I've been using ipsectools-0.7.2 (setkey) to manually add these keys, but
with
this type of IPsec I lose some other IKEv2 benefits (NAT-T, inactivity, what
else?).

How difficult would be to feed in the "ideal" key material to the DH
exchange?
It would be great if instead of calculating (DH) the next cryptokey for let
say
each new CHILD_SA, this mechanism selects the next key in a serial manner
from
a given file/db (of the ideal keys)


> > charon: 08[DMN] thread 10 received 11
> > charon: 08[DMN] killing ourself, received critical signal
>
> If you can verify this crash with our latest release, a GDB backtrace
> would be helpful to analyze the issue (use ipsec start --attach-gdb).
>
> Regards
> Martin
>
>
Unfortunately the version I use  (4.4.1) is quite patched and I'll have to
re-apply
all patches to the new version and re-run the scenario.
I'll try it out but will take some time.

Best Regards,
Nikos
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110322/158637d9/attachment.html>


More information about the Users mailing list