[strongSwan] newbie qs. suite B with AES-GCM
Philip Anil-QBW348
anil.philip at motorolasolutions.com
Thu Jan 5 18:11:01 CET 2012
Forgot to add ipsec statusall
-------carol----------------
~$ sudo ipsec statusall
Status of IKEv2 charon daemon (strongSwan 4.5.2):
uptime: 19 seconds, since Jan 05 11:09:05 2012
malloc: sbrk 135168, mmap 0, used 92312, free 42856
worker threads: 10 idle of 16, job queue load: 0, scheduled events: 0
loaded plugins: curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc gcm stroke kernel-netlink updown openssl
Listening IP addresses:
192.168.1.105
Connections:
home: 192.168.1.105...192.168.1.100
home: local: [carol at strongswan.org] uses public key authentication
home: remote: [moon.strongswan.org] uses any authentication
home: crl: status must be GOOD
home: child: dynamic === 10.1.0.0/16
Security Associations:
none
-----Original Message-----
From: users-bounces+anil.philip=motorolasolutions.com at lists.strongswan.org on behalf of Philip Anil-QBW348
Sent: Thu 1/5/2012 10:52 AM
To: Andreas Steffen
Cc: users at lists.strongswan.org
Subject: Re: [strongSwan] newbie qs. suite B with AES-GCM
Andreas,
I added openssl to the load command in strongswan.conf.
Still the same problem.
Anil
-----------MOON----------------
anil at spg-strongswan:~$ sudo ipsec restart
Stopping strongSwan IPsec...
Starting strongSwan 4.5.2 IPsec [starter]...
!! Your strongswan.conf contains manual plugin load options for
!! pluto and/or charon. This is recommended for experts only, see
!! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad
----------ipsec.conf-------------
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
crlcheckinterval=180
strictcrlpolicy=yes
plutostart=no
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
ike=aes16-sha256-ecp256!
esp=aes128gcm128!
conn rw
left=192.168.1.100
leftfirewall=yes
leftcert=moonCert.pem
leftid=@moon.strongswan.org
leftsubnet=10.1.0.0/16
right=%any
auto=add
# config setup
# plutodebug=all
# crlcheckinterval=600
# strictcrlpolicy=yes
# cachecrls=yes
# nat_traversal=yes
# charonstart=yes
# plutostart=yes
# Add connections here.
# Sample VPN connections
# conn sample-self-signed
# left=%defaultroute
# leftsubnet=10.1.0.0/16
# leftcert=selfCert.der
# leftsendcert=never
# right=192.168.0.2
# rightsubnet=10.2.0.0/16
# rightcert=peerCert.der
# auto=start
# conn sample-with-ca-cert
# left=%defaultroute
# leftsubnet=10.1.0.0/16
# leftcert=myCert.pem
# right=192.168.0.2
# rightsubnet=10.2.0.0/16
# rightid="C=CH, O=Linux strongSwan CN=peer name"
# keyexchange=ikev2
# auto=start
include /var/lib/strongswan/ipsec.conf.inc
----------------strongswan.conf------------------------
# strongswan.conf - strongSwan configuration file
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc gcm stroke kernel-netlink socket-default updown openssl
# number of worker threads in charon
threads = 16
# send strongswan vendor ID?
# send_vendor_id = yes
plugins {
sql {
# loglevel to log into sql database
loglevel = -1
# URI to the database
# database = sqlite:///path/to/file.db
# database = mysql://user:password@localhost/database
}
}
# ...
}
pluto {
}
libstrongswan {
# set to no, the DH exponent size is optimized
# dh_exponent_ansi_x9_42 = no
}
-------road warrior carol----------------
~$ ping 192.168.1.100
PING 192.168.1.100 (192.168.1.100) 56(84) bytes of data.
64 bytes from 192.168.1.100: icmp_req=1 ttl=64 time=5.87 ms
64 bytes from 192.168.1.100: icmp_req=2 ttl=64 time=3.81 ms
~$ sudo /etc/init.d/iptables start 2> /dev/null
~$ sudo ipsec restart
Stopping strongSwan IPsec...
Starting strongSwan 4.5.2 IPsec [starter]...
!! Your strongswan.conf contains manual plugin load options for
!! pluto and/or charon. This is recommended for experts only, see
!! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad
~$ sudo ipsec up home
initiating IKE_SA home[1] to 192.168.1.100
configured DH group MODP_NONE not supported
tried to check-in and delete nonexisting IKE_SA
---------------------------
# strongswan.conf - strongSwan configuration file
charon {
# number of worker threads in charon
threads = 16
# send strongswan vendor ID?
# send_vendor_id = yes
plugins {
sql {
# loglevel to log into sql database
loglevel = -1
# URI to the database
# database = sqlite:///path/to/file.db
# database = mysql://user:password@localhost/database
}
}
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc gcm stroke kernel-netlink socket-default updown openssl
# ...
}
pluto {
}
libstrongswan {
# set to no, the DH exponent size is optimized
# dh_exponent_ansi_x9_42 = no
}
---------------------------------------------------------------
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
# plutodebug=all
# crlcheckinterval=600
# strictcrlpolicy=yes
# cachecrls=yes
# nat_traversal=yes
charonstart=yes
# plutostart=yes
crlcheckinterval=180
strictcrlpolicy=yes
plutostart=no
# Add connections here.
# Sample VPN connections
# conn sample-self-signed
# left=%defaultroute
# leftsubnet=10.1.0.0/16
# leftcert=selfCert.der
# leftsendcert=never
# right=192.168.0.2
# rightsubnet=10.2.0.0/16
# rightcert=peerCert.der
# auto=start
# conn sample-with-ca-cert
# left=%defaultroute
# leftsubnet=10.1.0.0/16
# leftcert=myCert.pem
# right=192.168.0.2
# rightsubnet=10.2.0.0/16
# rightid="C=CH, O=Linux strongSwan CN=peer name"
# keyexchange=ikev2
# auto=start
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
ike=aes16-sha256-ecp256!
esp=aes128gcm128!
conn home
left=192.168.1.105
leftfirewall=yes
leftcert=carolCert.pem
leftid=carol at strongswan.org
right=192.168.1.100
rightsubnet=10.1.0.0/16
rightid=@moon.strongswan.org
auto=add
include /var/lib/strongswan/ipsec.conf.inc
-----Original Message-----
From: Andreas Steffen [mailto:andreas.steffen at strongswan.org]
Sent: Wed 1/4/2012 11:03 PM
To: Philip Anil-QBW348
Cc: users at lists.strongswan.org
Subject: Re: [strongSwan] newbie qs. suite B with AES-GCM
Just something came to my mind:
Did you define an elliptic curve Diffie-Hellman group,
e.g. ecp256? If yes then you must load the openssl plugin
both on moon and carol which gives you ECC support.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120105/7aaa785c/attachment.html>
More information about the Users
mailing list