[strongSwan] newbie qs. suite B with AES-GCM

Philip Anil-QBW348 anil.philip at motorolasolutions.com
Thu Jan 5 17:52:25 CET 2012 

Andreas,
I added openssl to the load command in strongswan.conf.
Still the same problem.
Anil

-----------MOON----------------
anil at spg-strongswan:~$ sudo ipsec restart
Stopping strongSwan IPsec...
Starting strongSwan 4.5.2 IPsec [starter]...
!! Your strongswan.conf contains manual plugin load options for
!! pluto and/or charon. This is recommended for experts only, see
!! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad
----------ipsec.conf-------------
# ipsec.conf - strongSwan IPsec configuration file

# basic configuration
config setup
        crlcheckinterval=180
	strictcrlpolicy=yes
	plutostart=no

conn %default
	ikelifetime=60m
	keylife=20m
	rekeymargin=3m
	keyingtries=1
	keyexchange=ikev2
	ike=aes16-sha256-ecp256!
	esp=aes128gcm128!

conn rw
	left=192.168.1.100
	leftfirewall=yes
	leftcert=moonCert.pem
	leftid=@moon.strongswan.org
	leftsubnet=10.1.0.0/16
	right=%any
	auto=add

# config setup
# plutodebug=all
# crlcheckinterval=600
# strictcrlpolicy=yes
# cachecrls=yes
# nat_traversal=yes
# charonstart=yes
# plutostart=yes

# Add connections here.

# Sample VPN connections

# conn sample-self-signed
#      left=%defaultroute
#      leftsubnet=10.1.0.0/16
#      leftcert=selfCert.der
#      leftsendcert=never
#      right=192.168.0.2
#      rightsubnet=10.2.0.0/16
#      rightcert=peerCert.der
#      auto=start

# conn sample-with-ca-cert
#      left=%defaultroute
#      leftsubnet=10.1.0.0/16
#      leftcert=myCert.pem
#      right=192.168.0.2
#      rightsubnet=10.2.0.0/16
#      rightid="C=CH, O=Linux strongSwan CN=peer name"
#      keyexchange=ikev2
#      auto=start

include /var/lib/strongswan/ipsec.conf.inc
----------------strongswan.conf------------------------
# strongswan.conf - strongSwan configuration file

charon {
  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc gcm stroke kernel-netlink socket-default updown openssl

	# number of worker threads in charon
	threads = 16

	# send strongswan vendor ID?
	# send_vendor_id = yes

	plugins {

		sql {
			# loglevel to log into sql database
			loglevel = -1

			# URI to the database
			# database = sqlite:///path/to/file.db
			# database = mysql://user:password@localhost/database
		}
	}

	# ...
}

pluto {

}

libstrongswan {

	#  set to no, the DH exponent size is optimized
	#  dh_exponent_ansi_x9_42 = no
}

-------road warrior carol----------------
~$ ping 192.168.1.100
PING 192.168.1.100 (192.168.1.100) 56(84) bytes of data.
64 bytes from 192.168.1.100: icmp_req=1 ttl=64 time=5.87 ms
64 bytes from 192.168.1.100: icmp_req=2 ttl=64 time=3.81 ms
~$ sudo /etc/init.d/iptables start 2> /dev/null
~$ sudo ipsec restart
Stopping strongSwan IPsec...
Starting strongSwan 4.5.2 IPsec [starter]...
!! Your strongswan.conf contains manual plugin load options for
!! pluto and/or charon. This is recommended for experts only, see
!! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad
~$ sudo ipsec up home
initiating IKE_SA home[1] to 192.168.1.100
configured DH group MODP_NONE not supported
tried to check-in and delete nonexisting IKE_SA
---------------------------
# strongswan.conf - strongSwan configuration file

charon {

	# number of worker threads in charon
	threads = 16

	# send strongswan vendor ID?
	# send_vendor_id = yes

	plugins {

		sql {
			# loglevel to log into sql database
			loglevel = -1

			# URI to the database
			# database = sqlite:///path/to/file.db
			# database = mysql://user:password@localhost/database
		}
	}

  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc gcm stroke kernel-netlink socket-default updown openssl
	# ...
}

pluto {

}

libstrongswan {

	#  set to no, the DH exponent size is optimized
	#  dh_exponent_ansi_x9_42 = no
}
---------------------------------------------------------------
# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
	# plutodebug=all
	# crlcheckinterval=600
	# strictcrlpolicy=yes
	# cachecrls=yes
	# nat_traversal=yes
	charonstart=yes
	# plutostart=yes
        crlcheckinterval=180
	strictcrlpolicy=yes
	plutostart=no

# Add connections here.

# Sample VPN connections

# conn sample-self-signed
#      left=%defaultroute
#      leftsubnet=10.1.0.0/16
#      leftcert=selfCert.der
#      leftsendcert=never
#      right=192.168.0.2
#      rightsubnet=10.2.0.0/16
#      rightcert=peerCert.der
#      auto=start

# conn sample-with-ca-cert
#      left=%defaultroute
#      leftsubnet=10.1.0.0/16
#      leftcert=myCert.pem
#      right=192.168.0.2
#      rightsubnet=10.2.0.0/16
#      rightid="C=CH, O=Linux strongSwan CN=peer name"
#      keyexchange=ikev2
#      auto=start

conn %default
	ikelifetime=60m
	keylife=20m
	rekeymargin=3m
	keyingtries=1
	keyexchange=ikev2
	ike=aes16-sha256-ecp256!
	esp=aes128gcm128!

conn home
	left=192.168.1.105
	leftfirewall=yes
	leftcert=carolCert.pem
	leftid=carol at strongswan.org
	right=192.168.1.100
	rightsubnet=10.1.0.0/16
	rightid=@moon.strongswan.org
	auto=add 

include /var/lib/strongswan/ipsec.conf.inc

-----Original Message-----
From: Andreas Steffen [mailto:andreas.steffen at strongswan.org]
Sent: Wed 1/4/2012 11:03 PM
To: Philip Anil-QBW348
Cc: users at lists.strongswan.org
Subject: Re: [strongSwan] newbie qs. suite B with AES-GCM
 
Just something came to my mind:

Did you define an elliptic curve Diffie-Hellman group,
e.g. ecp256? If yes then you must load the openssl plugin
both on moon and carol which gives you ECC support.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120105/ef0a1d1e/attachment.html>

More information about the Users mailing list