[strongSwan] configuring gcm mode on android
william masson
wemasson at gmail.com
Thu Jan 12 19:55:07 CET 2012
Thanks Tobias,
Im actually trying to do esp=aes128cgm16!
Here's where I show off my ignorance.
How do you configure something like this on an Android client?
there doesn't seem to be an ipsec.conf file.
Regards,
Bill
Hi Bill,
>* Jan 12 12:11:24 14[CFG] received proposals:
*>*ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
*>* Jan 12 12:11:24 14[CFG] configured proposals:
ESP:AES_GCM_16_128/NO_EXT_SEQ
*>* Jan 12 12:11:24 14[IKE] no acceptable proposal found
*
You configured esp=aes128cgm16-sha256! on the gateway but did not do so
on the client. Therefore, the client sends its default proposal which
does not include AES-GCM. Hence, no matching proposal is found.
Regards,
Tobias
On Thu, Jan 12, 2012 at 12:27 PM, william masson <wemasson at gmail.com> wrote:
> Hi Tobias,
>
> Thanks for putting me on the right track.
> I've enabled CONFIG_GCM, CONFIG_SHA256 in the android kernel and flashed
> the handset.
> I noticed that GCM is configured as a module in my Ubuntu server so I did
> a modprobe on it just to make sure it was loaded.
> Still not connecting tho.
>
> charon.log shows:
>
> no acceptable ENCRYPTION_ALGORITHM found
> Jan 12 12:11:24 14[CFG] received proposals:
> ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
> Jan 12 12:11:24 14[CFG] configured proposals: ESP:AES_GCM_16_128/NO_EXT_SEQ
> Jan 12 12:11:24 14[IKE] no acceptable proposal found
>
> any thoughts?
> Regards,
> Bill
>
>
>
> Hi Bill,
>
> >* I want to use the gcm block cypher. (esp=aes128cgm16!)
> *>* I added gcm to the Android.mk in the strongswan_CHARON_PLUGINS list and
> *>* also added it to the Android.mk in src/libstrongswan.
> *
> The gcm plugin you activated with the above is for strongSwan internal
>
> use with the key exchange protocol IKEv2 and not on the IPsec level with
> ESP, which is what you want to enable with the esp= option. Since ESP
> is handled by the Linux kernel you have to build your own kernel with
>
> CRYPTO_GCM enabled in the options. So if you don't want to actually use
> AES-GCM with IKEv2 itself you don't have to do anything special when
> building strongSwan.
>
> >* The server was configured using --enable-gcm option and an ipsec listall
> *>* seems to confirm that the server supports it.
> *
> Same applies here, --enable-gcm only enables GCM for IKEv2. Depending
> on the Linux distribution you use, GCM may already be enabled in the
> default kernel.
>
> Regards,
> Tobias
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120112/820e157d/attachment.html>
More information about the Users
mailing list