[strongSwan] ECDSA authentication in BSD

Andreas Steffen andreas.steffen at strongswan.org
Thu Jun 28 06:27:44 CEST 2012

Hi Chris,

the problem is not ECDSA authentication but the configuration of
AES-GCM in the kernel which is not possible because the PFKEY
interface does not support the configuration of ESP authenticated
encryption (AEAD) algorithms. I don't know whether BSD implements
AES-GCM at all and if yes, if BSD has defined a private extension of
the RFC 2367 PFKEYv2 interface.

Best regards


On 06/27/2012 11:38 PM, Chris Rogers wrote:
> Hello,
> I'm still fairly new to StrongSwan, but have been working with advanced
> configuration settings in an attempt to implement a specific security
> protocol.  In my tests, I've discovered that it works fine on Linux, but
> I've run into problems while trying to get it to work on BSD; namely, as
> BSD doesn't have netlink, I'm getting the 'unable to allocate SBIs from
> kernel' error.
> Excerpt from ipsec.conf:
> authby=ecdsasig
> esp=aes256gcm16!
> ike=aes256-sha2_384-ecp256
> Ultimately, what I would like to know is this: Does ecdsa authentication
> /require/ Linux Netlink, and if not how might I go about dealing with
> this error in BSD?  If more information is needed I can provide it tomorrow.
> Chris

Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

More information about the Users mailing list