[strongSwan] configuring gcm mode on android
william masson
wemasson at gmail.com
Thu Jan 12 18:27:02 CET 2012
Hi Tobias,
Thanks for putting me on the right track.
I've enabled CONFIG_GCM, CONFIG_SHA256 in the android kernel and flashed
the handset.
I noticed that GCM is configured as a module in my Ubuntu server so I did a
modprobe on it just to make sure it was loaded.
Still not connecting tho.
charon.log shows:
no acceptable ENCRYPTION_ALGORITHM found
Jan 12 12:11:24 14[CFG] received proposals:
ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
Jan 12 12:11:24 14[CFG] configured proposals: ESP:AES_GCM_16_128/NO_EXT_SEQ
Jan 12 12:11:24 14[IKE] no acceptable proposal found
any thoughts?
Regards,
Bill
Hi Bill,
>* I want to use the gcm block cypher. (esp=aes128cgm16!)
*>* I added gcm to the Android.mk in the strongswan_CHARON_PLUGINS list and
*>* also added it to the Android.mk in src/libstrongswan.
*
The gcm plugin you activated with the above is for strongSwan internal
use with the key exchange protocol IKEv2 and not on the IPsec level with
ESP, which is what you want to enable with the esp= option. Since ESP
is handled by the Linux kernel you have to build your own kernel with
CRYPTO_GCM enabled in the options. So if you don't want to actually use
AES-GCM with IKEv2 itself you don't have to do anything special when
building strongSwan.
>* The server was configured using --enable-gcm option and an ipsec listall
*>* seems to confirm that the server supports it.
*
Same applies here, --enable-gcm only enables GCM for IKEv2. Depending
on the Linux distribution you use, GCM may already be enabled in the
default kernel.
Regards,
Tobias
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120112/d803a8f7/attachment.html>
More information about the Users
mailing list