[strongSwan] newbie qs. suite B with AES-GCM
Andreas Steffen
andreas.steffen at strongswan.org
Fri Jan 6 00:21:32 CET 2012
Oops, yes that was a typo.
Andreas
On 06.01.2012 00:13, Philip Anil-QBW348 wrote:
> Andreas,
> In your earlier email you mentioned - perhaps it was a typo:
>
> The Suite B parameters for IKE and ESP would be
>
> * 128 bit security
> ike=aes16-sha256-ecp256!
> esp=aes128gcm128!
>
> * 192 bit security
> ike=aes256-sha384-ecp384!
> esp=aes256gcm16!
>
> Regards
>
> Andreas
>
>
> -----Original Message-----
> From: Andreas Steffen [mailto:andreas.steffen at strongswan.org]
> Sent: Thursday, January 05, 2012 4:39 PM
> To: Philip Anil-QBW348
> Cc: users at lists.strongswan.org
> Subject: Re: [strongSwan] newbie qs. suite B with AES-GCM
>
> Hi Anil,
>
> your configuration
>
> ike=aes16-sha256-ecp256!
>
> is faulty. It should be
>
> ike=aes128-sha256-ecp256!
>
> Regards
>
> Andreas
>
> On 05.01.2012 17:52, Philip Anil-QBW348 wrote:
>> Andreas,
>> I added openssl to the load command in strongswan.conf.
>> Still the same problem.
>> Anil
>>
>> -----------MOON----------------
>> anil at spg-strongswan:~$ sudo ipsec restart
>> Stopping strongSwan IPsec...
>> Starting strongSwan 4.5.2 IPsec [starter]...
>> !! Your strongswan.conf contains manual plugin load options for
>> !! pluto and/or charon. This is recommended for experts only, see
>> !! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad
>> ----------ipsec.conf-------------
>> # ipsec.conf - strongSwan IPsec configuration file
>>
>> # basic configuration
>> config setup
>> crlcheckinterval=180
>> strictcrlpolicy=yes
>> plutostart=no
>>
>> conn %default
>> ikelifetime=60m
>> keylife=20m
>> rekeymargin=3m
>> keyingtries=1
>> keyexchange=ikev2
>> ike=aes16-sha256-ecp256!
>> esp=aes128gcm128!
>>
>> conn rw
>> left=192.168.1.100
>> leftfirewall=yes
>> leftcert=moonCert.pem
>> leftid=@moon.strongswan.org
>> leftsubnet=10.1.0.0/16
>> right=%any
>> auto=add
>>
>> # config setup
>> # plutodebug=all
>> # crlcheckinterval=600
>> # strictcrlpolicy=yes
>> # cachecrls=yes
>> # nat_traversal=yes
>> # charonstart=yes
>> # plutostart=yes
>>
>> # Add connections here.
>>
>> # Sample VPN connections
>>
>> # conn sample-self-signed
>> # left=%defaultroute
>> # leftsubnet=10.1.0.0/16
>> # leftcert=selfCert.der
>> # leftsendcert=never
>> # right=192.168.0.2
>> # rightsubnet=10.2.0.0/16
>> # rightcert=peerCert.der
>> # auto=start
>>
>> # conn sample-with-ca-cert
>> # left=%defaultroute
>> # leftsubnet=10.1.0.0/16
>> # leftcert=myCert.pem
>> # right=192.168.0.2
>> # rightsubnet=10.2.0.0/16
>> # rightid="C=CH, O=Linux strongSwan CN=peer name"
>> # keyexchange=ikev2
>> # auto=start
>>
>> include /var/lib/strongswan/ipsec.conf.inc
>> ----------------strongswan.conf------------------------
>> # strongswan.conf - strongSwan configuration file
>>
>> charon {
>> load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509
> revocation
>> hmac xcbc gcm stroke kernel-netlink socket-default updown openssl
>>
>> # number of worker threads in charon
>> threads = 16
>>
>> # send strongswan vendor ID?
>> # send_vendor_id = yes
>>
>> plugins {
>>
>> sql {
>> # loglevel to log into sql database
>> loglevel = -1
>>
>> # URI to the database
>> # database = sqlite:///path/to/file.db
>> # database =
>> mysql://user:password@localhost/database
>> }
>> }
>>
>> # ...
>> }
>>
>> pluto {
>>
>> }
>>
>> libstrongswan {
>>
>> # set to no, the DH exponent size is optimized
>> # dh_exponent_ansi_x9_42 = no
>> }
>>
>> -------road warrior carol----------------
>> ~$ ping 192.168.1.100
>> PING 192.168.1.100 (192.168.1.100) 56(84) bytes of data.
>> 64 bytes from 192.168.1.100: icmp_req=1 ttl=64 time=5.87 ms
>> 64 bytes from 192.168.1.100: icmp_req=2 ttl=64 time=3.81 ms
>> ~$ sudo /etc/init.d/iptables start 2> /dev/null
>> ~$ sudo ipsec restart
>> Stopping strongSwan IPsec...
>> Starting strongSwan 4.5.2 IPsec [starter]...
>> !! Your strongswan.conf contains manual plugin load options for
>> !! pluto and/or charon. This is recommended for experts only, see
>> !! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad
>> ~$ sudo ipsec up home
>> initiating IKE_SA home[1] to 192.168.1.100
>> configured DH group MODP_NONE not supported
>> tried to check-in and delete nonexisting IKE_SA
>> ---------------------------
>> # strongswan.conf - strongSwan configuration file
>>
>> charon {
>>
>> # number of worker threads in charon
>> threads = 16
>>
>> # send strongswan vendor ID?
>> # send_vendor_id = yes
>>
>> plugins {
>>
>> sql {
>> # loglevel to log into sql database
>> loglevel = -1
>>
>> # URI to the database
>> # database = sqlite:///path/to/file.db
>> # database =
>> mysql://user:password@localhost/database
>> }
>> }
>>
>> load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509
> revocation
>> hmac xcbc gcm stroke kernel-netlink socket-default updown openssl
>> # ...
>> }
>>
>> pluto {
>>
>> }
>>
>> libstrongswan {
>>
>> # set to no, the DH exponent size is optimized
>> # dh_exponent_ansi_x9_42 = no
>> }
>> ---------------------------------------------------------------
>> # ipsec.conf - strongSwan IPsec configuration file
>>
>> # basic configuration
>>
>> config setup
>> # plutodebug=all
>> # crlcheckinterval=600
>> # strictcrlpolicy=yes
>> # cachecrls=yes
>> # nat_traversal=yes
>> charonstart=yes
>> # plutostart=yes
>> crlcheckinterval=180
>> strictcrlpolicy=yes
>> plutostart=no
>>
>> # Add connections here.
>>
>> # Sample VPN connections
>>
>> # conn sample-self-signed
>> # left=%defaultroute
>> # leftsubnet=10.1.0.0/16
>> # leftcert=selfCert.der
>> # leftsendcert=never
>> # right=192.168.0.2
>> # rightsubnet=10.2.0.0/16
>> # rightcert=peerCert.der
>> # auto=start
>>
>> # conn sample-with-ca-cert
>> # left=%defaultroute
>> # leftsubnet=10.1.0.0/16
>> # leftcert=myCert.pem
>> # right=192.168.0.2
>> # rightsubnet=10.2.0.0/16
>> # rightid="C=CH, O=Linux strongSwan CN=peer name"
>> # keyexchange=ikev2
>> # auto=start
>>
>> conn %default
>> ikelifetime=60m
>> keylife=20m
>> rekeymargin=3m
>> keyingtries=1
>> keyexchange=ikev2
>> ike=aes16-sha256-ecp256!
>> esp=aes128gcm128!
>>
>> conn home
>> left=192.168.1.105
>> leftfirewall=yes
>> leftcert=carolCert.pem
>> leftid=carol at strongswan.org
>> right=192.168.1.100
>> rightsubnet=10.1.0.0/16
>> rightid=@moon.strongswan.org
>> auto=add
>>
>> include /var/lib/strongswan/ipsec.conf.inc
>>
>> -----Original Message-----
>> From: Andreas Steffen [mailto:andreas.steffen at strongswan.org]
>> Sent: Wed 1/4/2012 11:03 PM
>> To: Philip Anil-QBW348
>> Cc: users at lists.strongswan.org
>> Subject: Re: [strongSwan] newbie qs. suite B with AES-GCM
>>
>> Just something came to my mind:
>>
>> Did you define an elliptic curve Diffie-Hellman group,
>> e.g. ecp256? If yes then you must load the openssl plugin
>> both on moon and carol which gives you ECC support.
>>
>
>
--
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4489 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120106/d66a55ff/attachment.bin>
More information about the Users
mailing list