[strongSwan] newbie qs. suite B with AES-GCM

Andreas Steffen andreas.steffen at strongswan.org
Thu Jan 5 06:03:41 CET 2012


Just something came to my mind:

Did you define an elliptic curve Diffie-Hellman group,
e.g. ecp256? If yes then you must load the openssl plugin
both on moon and carol which gives you ECC support.

Regards

Andreas

On 05.01.2012 06:00, Andreas Steffen wrote:
> Hello Anil,
> 
> something is wrong with your roadwarrior configuration on carol:
> 
>   configured DH group MODP_NONE not supported
> 
> How does the ipsec.conf file on carol look like?
> 
> Regards
> 
> Andreas
> 
> On 05.01.2012 01:43, Philip Anil-QBW348 wrote:
>> Andreas,
>> I am trying to go thru the commands in console.log
>> Am getting an error on carol.
>> Anil
>>
>> -------------moon--------------------
>> ~$ sudo ipsec start
>> Starting strongSwan 4.5.2 IPsec [starter]...
>> !! Your strongswan.conf contains manual plugin load options for
>> !! pluto and/or charon. This is recommended for experts only, see
>> !! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad
>> insmod /lib/modules/3.0.0-14-generic-pae/kernel/net/ipv4/ah4.ko
>> insmod /lib/modules/3.0.0-14-generic-pae/kernel/net/ipv4/esp4.ko
>> insmod /lib/modules/3.0.0-14-generic-pae/kernel/net/xfrm/xfrm_ipcomp.ko
>> insmod /lib/modules/3.0.0-14-generic-pae/kernel/net/ipv4/ipcomp.ko
>> insmod /lib/modules/3.0.0-14-generic-pae/kernel/net/ipv4/tunnel4.ko
>> insmod /lib/modules/3.0.0-14-generic-pae/kernel/net/ipv4/xfrm4_tunnel.ko
>> insmod /lib/modules/3.0.0-14-generic-pae/kernel/net/xfrm/xfrm_user.ko
>> ~$ sudo ipsec statusall
>> Status of IKEv2 charon daemon (strongSwan 4.5.2):
>>   uptime: 7 minutes, since Jan 04 12:33:26 2012
>>   malloc: sbrk 135168, mmap 0, used 75808, free 59360
>>   worker threads: 10 idle of 16, job queue load: 0, scheduled events: 0
>>   loaded plugins: curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509
>> revocation hmac xcbc gcm stroke kernel-netlink updown
>> Listening IP addresses:
>>   192.168.1.100
>> Connections:
>>           rw:  192.168.1.100...%any
>>           rw:   local:  [moon.strongswan.org] uses public key authentication
>>           rw:   remote: [%any] uses any authentication
>>           rw:    crl:   status must be GOOD
>>           rw:   child:  10.1.0.0/16 === dynamic
>> Security Associations:
>>   none
>> ~$
>>
>> ----------roadwarrior carol--------------
>> ~$ sudo ipsec start
>> Starting strongSwan 4.5.2 IPsec [starter]...
>> !! Your strongswan.conf contains manual plugin load options for
>> !! pluto and/or charon. This is recommended for experts only, see
>> !! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad
>> charon is already running (/var/run/charon.pid exists) -- skipping
>> charon start
>> starter is already running (/var/run/starter.pid exists) -- no fork done
>> ~$ sleep 1
>> ~$ sudo ipsec up home
>> initiating IKE_SA home[1] to 192.168.1.100
>> configured DH group MODP_NONE not supported
>> tried to check-in and delete nonexisting IKE_SA

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4489 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120105/60da5ee8/attachment.bin>


More information about the Users mailing list