[strongSwan] newbie qs. suite B with AES-GCM

Philip Anil-QBW348 anil.philip at motorolasolutions.com
Fri Jan 6 00:13:42 CET 2012


Andreas,
In your earlier email you mentioned - perhaps it was a typo:

The Suite B parameters for IKE and ESP would be

* 128 bit security
ike=aes16-sha256-ecp256!
esp=aes128gcm128!

* 192 bit security
ike=aes256-sha384-ecp384!
esp=aes256gcm16!

Regards

Andreas


-----Original Message-----
From: Andreas Steffen [mailto:andreas.steffen at strongswan.org] 
Sent: Thursday, January 05, 2012 4:39 PM
To: Philip Anil-QBW348
Cc: users at lists.strongswan.org
Subject: Re: [strongSwan] newbie qs. suite B with AES-GCM

Hi Anil,

your configuration

   ike=aes16-sha256-ecp256!

is faulty. It should be

   ike=aes128-sha256-ecp256!

Regards

Andreas

On 05.01.2012 17:52, Philip Anil-QBW348 wrote:
> Andreas,
> I added openssl to the load command in strongswan.conf.
> Still the same problem.
> Anil
> 
> -----------MOON----------------
> anil at spg-strongswan:~$ sudo ipsec restart
> Stopping strongSwan IPsec...
> Starting strongSwan 4.5.2 IPsec [starter]...
> !! Your strongswan.conf contains manual plugin load options for
> !! pluto and/or charon. This is recommended for experts only, see
> !! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad
> ----------ipsec.conf-------------
> # ipsec.conf - strongSwan IPsec configuration file
> 
> # basic configuration
> config setup
>         crlcheckinterval=180
>         strictcrlpolicy=yes
>         plutostart=no
> 
> conn %default
>         ikelifetime=60m
>         keylife=20m
>         rekeymargin=3m
>         keyingtries=1
>         keyexchange=ikev2
>         ike=aes16-sha256-ecp256!
>         esp=aes128gcm128!
> 
> conn rw
>         left=192.168.1.100
>         leftfirewall=yes
>         leftcert=moonCert.pem
>         leftid=@moon.strongswan.org
>         leftsubnet=10.1.0.0/16
>         right=%any
>         auto=add
> 
> # config setup
> # plutodebug=all
> # crlcheckinterval=600
> # strictcrlpolicy=yes
> # cachecrls=yes
> # nat_traversal=yes
> # charonstart=yes
> # plutostart=yes
> 
> # Add connections here.
> 
> # Sample VPN connections
> 
> # conn sample-self-signed
> #      left=%defaultroute
> #      leftsubnet=10.1.0.0/16
> #      leftcert=selfCert.der
> #      leftsendcert=never
> #      right=192.168.0.2
> #      rightsubnet=10.2.0.0/16
> #      rightcert=peerCert.der
> #      auto=start
> 
> # conn sample-with-ca-cert
> #      left=%defaultroute
> #      leftsubnet=10.1.0.0/16
> #      leftcert=myCert.pem
> #      right=192.168.0.2
> #      rightsubnet=10.2.0.0/16
> #      rightid="C=CH, O=Linux strongSwan CN=peer name"
> #      keyexchange=ikev2
> #      auto=start
> 
> include /var/lib/strongswan/ipsec.conf.inc
> ----------------strongswan.conf------------------------
> # strongswan.conf - strongSwan configuration file
> 
> charon {
>   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509
revocation
> hmac xcbc gcm stroke kernel-netlink socket-default updown openssl
> 
>         # number of worker threads in charon
>         threads = 16
> 
>         # send strongswan vendor ID?
>         # send_vendor_id = yes
> 
>         plugins {
> 
>                 sql {
>                         # loglevel to log into sql database
>                         loglevel = -1
> 
>                         # URI to the database
>                         # database = sqlite:///path/to/file.db
>                         # database =
> mysql://user:password@localhost/database
>                 }
>         }
> 
>         # ...
> }
> 
> pluto {
> 
> }
> 
> libstrongswan {
> 
>         #  set to no, the DH exponent size is optimized
>         #  dh_exponent_ansi_x9_42 = no
> }
> 
> -------road warrior carol----------------
> ~$ ping 192.168.1.100
> PING 192.168.1.100 (192.168.1.100) 56(84) bytes of data.
> 64 bytes from 192.168.1.100: icmp_req=1 ttl=64 time=5.87 ms
> 64 bytes from 192.168.1.100: icmp_req=2 ttl=64 time=3.81 ms
> ~$ sudo /etc/init.d/iptables start 2> /dev/null
> ~$ sudo ipsec restart
> Stopping strongSwan IPsec...
> Starting strongSwan 4.5.2 IPsec [starter]...
> !! Your strongswan.conf contains manual plugin load options for
> !! pluto and/or charon. This is recommended for experts only, see
> !! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad
> ~$ sudo ipsec up home
> initiating IKE_SA home[1] to 192.168.1.100
> configured DH group MODP_NONE not supported
> tried to check-in and delete nonexisting IKE_SA
> ---------------------------
> # strongswan.conf - strongSwan configuration file
> 
> charon {
> 
>         # number of worker threads in charon
>         threads = 16
> 
>         # send strongswan vendor ID?
>         # send_vendor_id = yes
> 
>         plugins {
> 
>                 sql {
>                         # loglevel to log into sql database
>                         loglevel = -1
> 
>                         # URI to the database
>                         # database = sqlite:///path/to/file.db
>                         # database =
> mysql://user:password@localhost/database
>                 }
>         }
> 
>   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509
revocation
> hmac xcbc gcm stroke kernel-netlink socket-default updown openssl
>         # ...
> }
> 
> pluto {
> 
> }
> 
> libstrongswan {
> 
>         #  set to no, the DH exponent size is optimized
>         #  dh_exponent_ansi_x9_42 = no
> }
> ---------------------------------------------------------------
> # ipsec.conf - strongSwan IPsec configuration file
> 
> # basic configuration
> 
> config setup
>         # plutodebug=all
>         # crlcheckinterval=600
>         # strictcrlpolicy=yes
>         # cachecrls=yes
>         # nat_traversal=yes
>         charonstart=yes
>         # plutostart=yes
>         crlcheckinterval=180
>         strictcrlpolicy=yes
>         plutostart=no
> 
> # Add connections here.
> 
> # Sample VPN connections
> 
> # conn sample-self-signed
> #      left=%defaultroute
> #      leftsubnet=10.1.0.0/16
> #      leftcert=selfCert.der
> #      leftsendcert=never
> #      right=192.168.0.2
> #      rightsubnet=10.2.0.0/16
> #      rightcert=peerCert.der
> #      auto=start
> 
> # conn sample-with-ca-cert
> #      left=%defaultroute
> #      leftsubnet=10.1.0.0/16
> #      leftcert=myCert.pem
> #      right=192.168.0.2
> #      rightsubnet=10.2.0.0/16
> #      rightid="C=CH, O=Linux strongSwan CN=peer name"
> #      keyexchange=ikev2
> #      auto=start
> 
> conn %default
>         ikelifetime=60m
>         keylife=20m
>         rekeymargin=3m
>         keyingtries=1
>         keyexchange=ikev2
>         ike=aes16-sha256-ecp256!
>         esp=aes128gcm128!
> 
> conn home
>         left=192.168.1.105
>         leftfirewall=yes
>         leftcert=carolCert.pem
>         leftid=carol at strongswan.org
>         right=192.168.1.100
>         rightsubnet=10.1.0.0/16
>         rightid=@moon.strongswan.org
>         auto=add
> 
> include /var/lib/strongswan/ipsec.conf.inc
> 
> -----Original Message-----
> From: Andreas Steffen [mailto:andreas.steffen at strongswan.org]
> Sent: Wed 1/4/2012 11:03 PM
> To: Philip Anil-QBW348
> Cc: users at lists.strongswan.org
> Subject: Re: [strongSwan] newbie qs. suite B with AES-GCM
> 
> Just something came to my mind:
> 
> Did you define an elliptic curve Diffie-Hellman group,
> e.g. ecp256? If yes then you must load the openssl plugin
> both on moon and carol which gives you ECC support.
> 


-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==






More information about the Users mailing list