[strongSwan] newbie qs. suite B with AES-GCM

Andreas Steffen andreas.steffen at strongswan.org
Fri Jan 6 00:21:32 CET 2012


Oops, yes that was a typo.

Andreas

On 06.01.2012 00:13, Philip Anil-QBW348 wrote:
> Andreas,
> In your earlier email you mentioned - perhaps it was a typo:
> 
> The Suite B parameters for IKE and ESP would be
> 
> * 128 bit security
> ike=aes16-sha256-ecp256!
> esp=aes128gcm128!
> 
> * 192 bit security
> ike=aes256-sha384-ecp384!
> esp=aes256gcm16!
> 
> Regards
> 
> Andreas
> 
> 
> -----Original Message-----
> From: Andreas Steffen [mailto:andreas.steffen at strongswan.org] 
> Sent: Thursday, January 05, 2012 4:39 PM
> To: Philip Anil-QBW348
> Cc: users at lists.strongswan.org
> Subject: Re: [strongSwan] newbie qs. suite B with AES-GCM
> 
> Hi Anil,
> 
> your configuration
> 
>    ike=aes16-sha256-ecp256!
> 
> is faulty. It should be
> 
>    ike=aes128-sha256-ecp256!
> 
> Regards
> 
> Andreas
> 
> On 05.01.2012 17:52, Philip Anil-QBW348 wrote:
>> Andreas,
>> I added openssl to the load command in strongswan.conf.
>> Still the same problem.
>> Anil
>>
>> -----------MOON----------------
>> anil at spg-strongswan:~$ sudo ipsec restart
>> Stopping strongSwan IPsec...
>> Starting strongSwan 4.5.2 IPsec [starter]...
>> !! Your strongswan.conf contains manual plugin load options for
>> !! pluto and/or charon. This is recommended for experts only, see
>> !! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad
>> ----------ipsec.conf-------------
>> # ipsec.conf - strongSwan IPsec configuration file
>>
>> # basic configuration
>> config setup
>>         crlcheckinterval=180
>>         strictcrlpolicy=yes
>>         plutostart=no
>>
>> conn %default
>>         ikelifetime=60m
>>         keylife=20m
>>         rekeymargin=3m
>>         keyingtries=1
>>         keyexchange=ikev2
>>         ike=aes16-sha256-ecp256!
>>         esp=aes128gcm128!
>>
>> conn rw
>>         left=192.168.1.100
>>         leftfirewall=yes
>>         leftcert=moonCert.pem
>>         leftid=@moon.strongswan.org
>>         leftsubnet=10.1.0.0/16
>>         right=%any
>>         auto=add
>>
>> # config setup
>> # plutodebug=all
>> # crlcheckinterval=600
>> # strictcrlpolicy=yes
>> # cachecrls=yes
>> # nat_traversal=yes
>> # charonstart=yes
>> # plutostart=yes
>>
>> # Add connections here.
>>
>> # Sample VPN connections
>>
>> # conn sample-self-signed
>> #      left=%defaultroute
>> #      leftsubnet=10.1.0.0/16
>> #      leftcert=selfCert.der
>> #      leftsendcert=never
>> #      right=192.168.0.2
>> #      rightsubnet=10.2.0.0/16
>> #      rightcert=peerCert.der
>> #      auto=start
>>
>> # conn sample-with-ca-cert
>> #      left=%defaultroute
>> #      leftsubnet=10.1.0.0/16
>> #      leftcert=myCert.pem
>> #      right=192.168.0.2
>> #      rightsubnet=10.2.0.0/16
>> #      rightid="C=CH, O=Linux strongSwan CN=peer name"
>> #      keyexchange=ikev2
>> #      auto=start
>>
>> include /var/lib/strongswan/ipsec.conf.inc
>> ----------------strongswan.conf------------------------
>> # strongswan.conf - strongSwan configuration file
>>
>> charon {
>>   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509
> revocation
>> hmac xcbc gcm stroke kernel-netlink socket-default updown openssl
>>
>>         # number of worker threads in charon
>>         threads = 16
>>
>>         # send strongswan vendor ID?
>>         # send_vendor_id = yes
>>
>>         plugins {
>>
>>                 sql {
>>                         # loglevel to log into sql database
>>                         loglevel = -1
>>
>>                         # URI to the database
>>                         # database = sqlite:///path/to/file.db
>>                         # database =
>> mysql://user:password@localhost/database
>>                 }
>>         }
>>
>>         # ...
>> }
>>
>> pluto {
>>
>> }
>>
>> libstrongswan {
>>
>>         #  set to no, the DH exponent size is optimized
>>         #  dh_exponent_ansi_x9_42 = no
>> }
>>
>> -------road warrior carol----------------
>> ~$ ping 192.168.1.100
>> PING 192.168.1.100 (192.168.1.100) 56(84) bytes of data.
>> 64 bytes from 192.168.1.100: icmp_req=1 ttl=64 time=5.87 ms
>> 64 bytes from 192.168.1.100: icmp_req=2 ttl=64 time=3.81 ms
>> ~$ sudo /etc/init.d/iptables start 2> /dev/null
>> ~$ sudo ipsec restart
>> Stopping strongSwan IPsec...
>> Starting strongSwan 4.5.2 IPsec [starter]...
>> !! Your strongswan.conf contains manual plugin load options for
>> !! pluto and/or charon. This is recommended for experts only, see
>> !! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad
>> ~$ sudo ipsec up home
>> initiating IKE_SA home[1] to 192.168.1.100
>> configured DH group MODP_NONE not supported
>> tried to check-in and delete nonexisting IKE_SA
>> ---------------------------
>> # strongswan.conf - strongSwan configuration file
>>
>> charon {
>>
>>         # number of worker threads in charon
>>         threads = 16
>>
>>         # send strongswan vendor ID?
>>         # send_vendor_id = yes
>>
>>         plugins {
>>
>>                 sql {
>>                         # loglevel to log into sql database
>>                         loglevel = -1
>>
>>                         # URI to the database
>>                         # database = sqlite:///path/to/file.db
>>                         # database =
>> mysql://user:password@localhost/database
>>                 }
>>         }
>>
>>   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509
> revocation
>> hmac xcbc gcm stroke kernel-netlink socket-default updown openssl
>>         # ...
>> }
>>
>> pluto {
>>
>> }
>>
>> libstrongswan {
>>
>>         #  set to no, the DH exponent size is optimized
>>         #  dh_exponent_ansi_x9_42 = no
>> }
>> ---------------------------------------------------------------
>> # ipsec.conf - strongSwan IPsec configuration file
>>
>> # basic configuration
>>
>> config setup
>>         # plutodebug=all
>>         # crlcheckinterval=600
>>         # strictcrlpolicy=yes
>>         # cachecrls=yes
>>         # nat_traversal=yes
>>         charonstart=yes
>>         # plutostart=yes
>>         crlcheckinterval=180
>>         strictcrlpolicy=yes
>>         plutostart=no
>>
>> # Add connections here.
>>
>> # Sample VPN connections
>>
>> # conn sample-self-signed
>> #      left=%defaultroute
>> #      leftsubnet=10.1.0.0/16
>> #      leftcert=selfCert.der
>> #      leftsendcert=never
>> #      right=192.168.0.2
>> #      rightsubnet=10.2.0.0/16
>> #      rightcert=peerCert.der
>> #      auto=start
>>
>> # conn sample-with-ca-cert
>> #      left=%defaultroute
>> #      leftsubnet=10.1.0.0/16
>> #      leftcert=myCert.pem
>> #      right=192.168.0.2
>> #      rightsubnet=10.2.0.0/16
>> #      rightid="C=CH, O=Linux strongSwan CN=peer name"
>> #      keyexchange=ikev2
>> #      auto=start
>>
>> conn %default
>>         ikelifetime=60m
>>         keylife=20m
>>         rekeymargin=3m
>>         keyingtries=1
>>         keyexchange=ikev2
>>         ike=aes16-sha256-ecp256!
>>         esp=aes128gcm128!
>>
>> conn home
>>         left=192.168.1.105
>>         leftfirewall=yes
>>         leftcert=carolCert.pem
>>         leftid=carol at strongswan.org
>>         right=192.168.1.100
>>         rightsubnet=10.1.0.0/16
>>         rightid=@moon.strongswan.org
>>         auto=add
>>
>> include /var/lib/strongswan/ipsec.conf.inc
>>
>> -----Original Message-----
>> From: Andreas Steffen [mailto:andreas.steffen at strongswan.org]
>> Sent: Wed 1/4/2012 11:03 PM
>> To: Philip Anil-QBW348
>> Cc: users at lists.strongswan.org
>> Subject: Re: [strongSwan] newbie qs. suite B with AES-GCM
>>
>> Just something came to my mind:
>>
>> Did you define an elliptic curve Diffie-Hellman group,
>> e.g. ecp256? If yes then you must load the openssl plugin
>> both on moon and carol which gives you ECC support.
>>
> 
> 


-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4489 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120106/d66a55ff/attachment.bin>


More information about the Users mailing list