[strongSwan] newbie qs. suite B with AES-GCM

Philip Anil-QBW348 anil.philip at motorolasolutions.com
Thu Jan 5 18:11:01 CET 2012


Forgot to add ipsec statusall
-------carol----------------
~$ sudo ipsec statusall
Status of IKEv2 charon daemon (strongSwan 4.5.2):
  uptime: 19 seconds, since Jan 05 11:09:05 2012
  malloc: sbrk 135168, mmap 0, used 92312, free 42856
  worker threads: 10 idle of 16, job queue load: 0, scheduled events: 0
  loaded plugins: curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc gcm stroke kernel-netlink updown openssl 
Listening IP addresses:
  192.168.1.105
Connections:
        home:  192.168.1.105...192.168.1.100
        home:   local:  [carol at strongswan.org] uses public key authentication
        home:   remote: [moon.strongswan.org] uses any authentication
        home:    crl:   status must be GOOD
        home:   child:  dynamic === 10.1.0.0/16 
Security Associations:
  none

-----Original Message-----
From: users-bounces+anil.philip=motorolasolutions.com at lists.strongswan.org on behalf of Philip Anil-QBW348
Sent: Thu 1/5/2012 10:52 AM
To: Andreas Steffen
Cc: users at lists.strongswan.org
Subject: Re: [strongSwan] newbie qs. suite B with AES-GCM
 
Andreas,
I added openssl to the load command in strongswan.conf.
Still the same problem.
Anil

-----------MOON----------------
anil at spg-strongswan:~$ sudo ipsec restart
Stopping strongSwan IPsec...
Starting strongSwan 4.5.2 IPsec [starter]...
!! Your strongswan.conf contains manual plugin load options for
!! pluto and/or charon. This is recommended for experts only, see
!! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad
----------ipsec.conf-------------
# ipsec.conf - strongSwan IPsec configuration file

# basic configuration
config setup
        crlcheckinterval=180
	strictcrlpolicy=yes
	plutostart=no

conn %default
	ikelifetime=60m
	keylife=20m
	rekeymargin=3m
	keyingtries=1
	keyexchange=ikev2
	ike=aes16-sha256-ecp256!
	esp=aes128gcm128!

conn rw
	left=192.168.1.100
	leftfirewall=yes
	leftcert=moonCert.pem
	leftid=@moon.strongswan.org
	leftsubnet=10.1.0.0/16
	right=%any
	auto=add

# config setup
# plutodebug=all
# crlcheckinterval=600
# strictcrlpolicy=yes
# cachecrls=yes
# nat_traversal=yes
# charonstart=yes
# plutostart=yes

# Add connections here.

# Sample VPN connections

# conn sample-self-signed
#      left=%defaultroute
#      leftsubnet=10.1.0.0/16
#      leftcert=selfCert.der
#      leftsendcert=never
#      right=192.168.0.2
#      rightsubnet=10.2.0.0/16
#      rightcert=peerCert.der
#      auto=start

# conn sample-with-ca-cert
#      left=%defaultroute
#      leftsubnet=10.1.0.0/16
#      leftcert=myCert.pem
#      right=192.168.0.2
#      rightsubnet=10.2.0.0/16
#      rightid="C=CH, O=Linux strongSwan CN=peer name"
#      keyexchange=ikev2
#      auto=start

include /var/lib/strongswan/ipsec.conf.inc
----------------strongswan.conf------------------------
# strongswan.conf - strongSwan configuration file

charon {
  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc gcm stroke kernel-netlink socket-default updown openssl

	# number of worker threads in charon
	threads = 16

	# send strongswan vendor ID?
	# send_vendor_id = yes

	plugins {

		sql {
			# loglevel to log into sql database
			loglevel = -1

			# URI to the database
			# database = sqlite:///path/to/file.db
			# database = mysql://user:password@localhost/database
		}
	}

	# ...
}

pluto {

}

libstrongswan {

	#  set to no, the DH exponent size is optimized
	#  dh_exponent_ansi_x9_42 = no
}

-------road warrior carol----------------
~$ ping 192.168.1.100
PING 192.168.1.100 (192.168.1.100) 56(84) bytes of data.
64 bytes from 192.168.1.100: icmp_req=1 ttl=64 time=5.87 ms
64 bytes from 192.168.1.100: icmp_req=2 ttl=64 time=3.81 ms
~$ sudo /etc/init.d/iptables start 2> /dev/null
~$ sudo ipsec restart
Stopping strongSwan IPsec...
Starting strongSwan 4.5.2 IPsec [starter]...
!! Your strongswan.conf contains manual plugin load options for
!! pluto and/or charon. This is recommended for experts only, see
!! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad
~$ sudo ipsec up home
initiating IKE_SA home[1] to 192.168.1.100
configured DH group MODP_NONE not supported
tried to check-in and delete nonexisting IKE_SA
---------------------------
# strongswan.conf - strongSwan configuration file

charon {

	# number of worker threads in charon
	threads = 16

	# send strongswan vendor ID?
	# send_vendor_id = yes

	plugins {

		sql {
			# loglevel to log into sql database
			loglevel = -1

			# URI to the database
			# database = sqlite:///path/to/file.db
			# database = mysql://user:password@localhost/database
		}
	}

  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc gcm stroke kernel-netlink socket-default updown openssl
	# ...
}

pluto {

}

libstrongswan {

	#  set to no, the DH exponent size is optimized
	#  dh_exponent_ansi_x9_42 = no
}
---------------------------------------------------------------
# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
	# plutodebug=all
	# crlcheckinterval=600
	# strictcrlpolicy=yes
	# cachecrls=yes
	# nat_traversal=yes
	charonstart=yes
	# plutostart=yes
        crlcheckinterval=180
	strictcrlpolicy=yes
	plutostart=no

# Add connections here.

# Sample VPN connections

# conn sample-self-signed
#      left=%defaultroute
#      leftsubnet=10.1.0.0/16
#      leftcert=selfCert.der
#      leftsendcert=never
#      right=192.168.0.2
#      rightsubnet=10.2.0.0/16
#      rightcert=peerCert.der
#      auto=start

# conn sample-with-ca-cert
#      left=%defaultroute
#      leftsubnet=10.1.0.0/16
#      leftcert=myCert.pem
#      right=192.168.0.2
#      rightsubnet=10.2.0.0/16
#      rightid="C=CH, O=Linux strongSwan CN=peer name"
#      keyexchange=ikev2
#      auto=start

conn %default
	ikelifetime=60m
	keylife=20m
	rekeymargin=3m
	keyingtries=1
	keyexchange=ikev2
	ike=aes16-sha256-ecp256!
	esp=aes128gcm128!

conn home
	left=192.168.1.105
	leftfirewall=yes
	leftcert=carolCert.pem
	leftid=carol at strongswan.org
	right=192.168.1.100
	rightsubnet=10.1.0.0/16
	rightid=@moon.strongswan.org
	auto=add 

include /var/lib/strongswan/ipsec.conf.inc

-----Original Message-----
From: Andreas Steffen [mailto:andreas.steffen at strongswan.org]
Sent: Wed 1/4/2012 11:03 PM
To: Philip Anil-QBW348
Cc: users at lists.strongswan.org
Subject: Re: [strongSwan] newbie qs. suite B with AES-GCM
 
Just something came to my mind:

Did you define an elliptic curve Diffie-Hellman group,
e.g. ecp256? If yes then you must load the openssl plugin
both on moon and carol which gives you ECC support.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120105/7aaa785c/attachment.html>


More information about the Users mailing list