[strongSwan] newbie qs. suite B with AES-GCM
Philip Anil-QBW348
anil.philip at motorolasolutions.com
Fri Jan 6 00:13:42 CET 2012
Andreas,
In your earlier email you mentioned - perhaps it was a typo:
The Suite B parameters for IKE and ESP would be
* 128 bit security
ike=aes16-sha256-ecp256!
esp=aes128gcm128!
* 192 bit security
ike=aes256-sha384-ecp384!
esp=aes256gcm16!
Regards
Andreas
-----Original Message-----
From: Andreas Steffen [mailto:andreas.steffen at strongswan.org]
Sent: Thursday, January 05, 2012 4:39 PM
To: Philip Anil-QBW348
Cc: users at lists.strongswan.org
Subject: Re: [strongSwan] newbie qs. suite B with AES-GCM
Hi Anil,
your configuration
ike=aes16-sha256-ecp256!
is faulty. It should be
ike=aes128-sha256-ecp256!
Regards
Andreas
On 05.01.2012 17:52, Philip Anil-QBW348 wrote:
> Andreas,
> I added openssl to the load command in strongswan.conf.
> Still the same problem.
> Anil
>
> -----------MOON----------------
> anil at spg-strongswan:~$ sudo ipsec restart
> Stopping strongSwan IPsec...
> Starting strongSwan 4.5.2 IPsec [starter]...
> !! Your strongswan.conf contains manual plugin load options for
> !! pluto and/or charon. This is recommended for experts only, see
> !! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad
> ----------ipsec.conf-------------
> # ipsec.conf - strongSwan IPsec configuration file
>
> # basic configuration
> config setup
> crlcheckinterval=180
> strictcrlpolicy=yes
> plutostart=no
>
> conn %default
> ikelifetime=60m
> keylife=20m
> rekeymargin=3m
> keyingtries=1
> keyexchange=ikev2
> ike=aes16-sha256-ecp256!
> esp=aes128gcm128!
>
> conn rw
> left=192.168.1.100
> leftfirewall=yes
> leftcert=moonCert.pem
> leftid=@moon.strongswan.org
> leftsubnet=10.1.0.0/16
> right=%any
> auto=add
>
> # config setup
> # plutodebug=all
> # crlcheckinterval=600
> # strictcrlpolicy=yes
> # cachecrls=yes
> # nat_traversal=yes
> # charonstart=yes
> # plutostart=yes
>
> # Add connections here.
>
> # Sample VPN connections
>
> # conn sample-self-signed
> # left=%defaultroute
> # leftsubnet=10.1.0.0/16
> # leftcert=selfCert.der
> # leftsendcert=never
> # right=192.168.0.2
> # rightsubnet=10.2.0.0/16
> # rightcert=peerCert.der
> # auto=start
>
> # conn sample-with-ca-cert
> # left=%defaultroute
> # leftsubnet=10.1.0.0/16
> # leftcert=myCert.pem
> # right=192.168.0.2
> # rightsubnet=10.2.0.0/16
> # rightid="C=CH, O=Linux strongSwan CN=peer name"
> # keyexchange=ikev2
> # auto=start
>
> include /var/lib/strongswan/ipsec.conf.inc
> ----------------strongswan.conf------------------------
> # strongswan.conf - strongSwan configuration file
>
> charon {
> load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509
revocation
> hmac xcbc gcm stroke kernel-netlink socket-default updown openssl
>
> # number of worker threads in charon
> threads = 16
>
> # send strongswan vendor ID?
> # send_vendor_id = yes
>
> plugins {
>
> sql {
> # loglevel to log into sql database
> loglevel = -1
>
> # URI to the database
> # database = sqlite:///path/to/file.db
> # database =
> mysql://user:password@localhost/database
> }
> }
>
> # ...
> }
>
> pluto {
>
> }
>
> libstrongswan {
>
> # set to no, the DH exponent size is optimized
> # dh_exponent_ansi_x9_42 = no
> }
>
> -------road warrior carol----------------
> ~$ ping 192.168.1.100
> PING 192.168.1.100 (192.168.1.100) 56(84) bytes of data.
> 64 bytes from 192.168.1.100: icmp_req=1 ttl=64 time=5.87 ms
> 64 bytes from 192.168.1.100: icmp_req=2 ttl=64 time=3.81 ms
> ~$ sudo /etc/init.d/iptables start 2> /dev/null
> ~$ sudo ipsec restart
> Stopping strongSwan IPsec...
> Starting strongSwan 4.5.2 IPsec [starter]...
> !! Your strongswan.conf contains manual plugin load options for
> !! pluto and/or charon. This is recommended for experts only, see
> !! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad
> ~$ sudo ipsec up home
> initiating IKE_SA home[1] to 192.168.1.100
> configured DH group MODP_NONE not supported
> tried to check-in and delete nonexisting IKE_SA
> ---------------------------
> # strongswan.conf - strongSwan configuration file
>
> charon {
>
> # number of worker threads in charon
> threads = 16
>
> # send strongswan vendor ID?
> # send_vendor_id = yes
>
> plugins {
>
> sql {
> # loglevel to log into sql database
> loglevel = -1
>
> # URI to the database
> # database = sqlite:///path/to/file.db
> # database =
> mysql://user:password@localhost/database
> }
> }
>
> load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509
revocation
> hmac xcbc gcm stroke kernel-netlink socket-default updown openssl
> # ...
> }
>
> pluto {
>
> }
>
> libstrongswan {
>
> # set to no, the DH exponent size is optimized
> # dh_exponent_ansi_x9_42 = no
> }
> ---------------------------------------------------------------
> # ipsec.conf - strongSwan IPsec configuration file
>
> # basic configuration
>
> config setup
> # plutodebug=all
> # crlcheckinterval=600
> # strictcrlpolicy=yes
> # cachecrls=yes
> # nat_traversal=yes
> charonstart=yes
> # plutostart=yes
> crlcheckinterval=180
> strictcrlpolicy=yes
> plutostart=no
>
> # Add connections here.
>
> # Sample VPN connections
>
> # conn sample-self-signed
> # left=%defaultroute
> # leftsubnet=10.1.0.0/16
> # leftcert=selfCert.der
> # leftsendcert=never
> # right=192.168.0.2
> # rightsubnet=10.2.0.0/16
> # rightcert=peerCert.der
> # auto=start
>
> # conn sample-with-ca-cert
> # left=%defaultroute
> # leftsubnet=10.1.0.0/16
> # leftcert=myCert.pem
> # right=192.168.0.2
> # rightsubnet=10.2.0.0/16
> # rightid="C=CH, O=Linux strongSwan CN=peer name"
> # keyexchange=ikev2
> # auto=start
>
> conn %default
> ikelifetime=60m
> keylife=20m
> rekeymargin=3m
> keyingtries=1
> keyexchange=ikev2
> ike=aes16-sha256-ecp256!
> esp=aes128gcm128!
>
> conn home
> left=192.168.1.105
> leftfirewall=yes
> leftcert=carolCert.pem
> leftid=carol at strongswan.org
> right=192.168.1.100
> rightsubnet=10.1.0.0/16
> rightid=@moon.strongswan.org
> auto=add
>
> include /var/lib/strongswan/ipsec.conf.inc
>
> -----Original Message-----
> From: Andreas Steffen [mailto:andreas.steffen at strongswan.org]
> Sent: Wed 1/4/2012 11:03 PM
> To: Philip Anil-QBW348
> Cc: users at lists.strongswan.org
> Subject: Re: [strongSwan] newbie qs. suite B with AES-GCM
>
> Just something came to my mind:
>
> Did you define an elliptic curve Diffie-Hellman group,
> e.g. ecp256? If yes then you must load the openssl plugin
> both on moon and carol which gives you ECC support.
>
--
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
More information about the Users
mailing list