[strongSwan] [Strongswan] AH mode support in Strongswan for Ikev1

SaRaVanAn saravanan.nagarajan87 at gmail.com
Wed May 30 09:02:11 CEST 2012 

Hi Andreas,
  Thanks for your prompt reply. I have one more clarification from your
side.

Is there any command or tool in Strongswan to see encryption statistics for
Netkey stack?
I meant, statistics like
No of packets encrypted using ESP
No of packets dropped by tunnel and so on.

Regards,
Saravanan N

On Mon, May 28, 2012 at 8:24 PM, Andreas Steffen <
andreas.steffen at strongswan.org> wrote:

> Hello,
>
> AH withouth ESP is not supported by strongSwan IKEv1 (which goes all
> the way back to FreeS/WAN).
>
> With auth=esp which is the default you opt for ESP encryption and ESP's
> optional authentication mode.
>
> With auth=ah you get ESP encryption withouth ESP's optional
> authentication mode but you get AH on top of ESP instead.
>
> If you don't want to encrypt your packets please use either
> ESP NULL encryption
>
>  http://www.strongswan.org/uml/testresults/ikev1/esp-alg-null
>
> or AES-GMAC
>
>  http://www.strongswan.org/uml/testresults/ikev1/esp-alg-aes-gmac
>
> Regards
>
> Andreas
>
> On 28.05.2012 15:40, SaRaVanAn wrote:
> > Hi Team,
> >     I hope , ah mode in strongswan is supported for Ikev1. But I tried
> > to form a tunnel
> > using AH mode with ikev1, but strongswan was expecting ESP proposal even
> > i configured
> > auth=ah.  If ah mode is supported for Ikev1 , please correct me if there
> > any syntax error in
> > the below configuration file which makes thing not working.
> >
> > *ipsec.conf*
> > ____________
> > # basic configuration
> > ca vpnca
> >          cacert=ca1Cert.pem
> >          #crluri=crl.pem
> >          auto=add
> >
> > config setup
> >           plutostart=yes
> >           plutodebug=all
> >           charonstart=yes
> >           charondebug=all
> >           nat_traversal=yes
> >           crlcheckinterval=10m
> >           strictcrlpolicy=no
> >
> > conn %default
> >         ikelifetime=1h
> >         keylife=2h
> >         keyingtries=1
> >
> > conn fqdn_vr
> >     auth=ah
> >     type=transport
> >     keyexchange=ikev1
> >     left=172.31.114.227
> >     right=%any
> >     rightid=172.31.114.211
> >     pfs=no
> >     rekey=no
> >     auto=add
> >
> > *logs*
> > _____
> > May 28 18:48:07 uxcasxxx pluto[32284]: | ******parse ISAKMP IPsec DOI
> > attribute:
> > May 28 18:48:07 uxcasxxx pluto[32284]: |    af+type: ENCAPSULATION_MODE
> > May 28 18:48:07 uxcasxxx pluto[32284]: |    length/value: 1
> > May 28 18:48:07 uxcasxxx pluto[32284]: |    [1 is
> ENCAPSULATION_MODE_TUNNEL]
> > May 28 18:48:07 uxcasxxx pluto[32284]: | ******parse ISAKMP IPsec DOI
> > attribute:
> > May 28 18:48:07 uxcasxxx pluto[32284]: |    af+type: AUTH_ALGORITHM
> > May 28 18:48:07 uxcasxxx pluto[32284]: |    length/value: 2
> > May 28 18:48:07 uxcasxxx pluto[32284]: |    [2 is HMAC_SHA1]
> > *May 28 18:48:07 uxcasxxx pluto[32284]: | policy for "fqdn_vr" requires
> > encryption but ESP not in Proposal from 172.31.114.211
> > May 28 18:48:07 uxcasxxx pluto[32284]: "fqdn_vr"[1] 172.31.114.211 #2:
> > no acceptable Proposal in IPsec SA
> > May 28 18:48:07 uxcasxxx pluto[32284]: "fqdn_vr"[1] 172.31.114.211 #2:
> > sending encrypted notification *NO_PROPOSAL_CHOSEN to 172.31.114.211:500
> > <http://172.31.114.211:500>
> > May 28 18:48:07 uxcasxxx pluto[32284]: | **emit ISAKMP Message:
> > May 28 18:48:07 uxcasxxx pluto[32284]: |    initiator cookie:
> > May 28 18:48:07 uxcasxxx pluto[32284]: |   39 e8 20 f0  36 bb c5 63
> > May 28 18:48:07 uxcasxxx pluto[32284]: |    responder cookie:
> > May 28 18:48:07 uxcasxxx pluto[32284]: |   1b 60 45 9a  ac b4 b9 d9
> > May 28 18:48:07 uxcasxxx pluto[32284]: |    next payload type:
> > ISAKMP_NEXT_HASH
> > May 28 18:48:07 uxcasxxx pluto[32284]: |    ISAKMP version: ISAKMP
> > Version 1.0
> > May 28 18:48:07 uxcasxxx pluto[32284]: |    exchange type:
> ISAKMP_XCHG_INFO
> > May 28 18:48:07 uxcasxxx pluto[32284]: |    flags: ISAKMP_FLAG_ENCRYPTION
> > May 28 18:48:07 uxcasxxx pluto[32284]: |    message ID:  4a 6d 47 56
> > May 28 18:48:07 uxcasxxx pluto[32284]: | ***emit ISAKMP Hash Payload:
> > May 28 18:48:07 uxcasxxx pluto[32284]: |    next payload type:
> ISAKMP_NEXT_N
> > May 28 18:48:07 uxcasxxx pluto[32284]: | emitting 20 zero bytes of HASH
> > into ISAKMP Hash Payload
> > May 28 18:48:07 uxcasxxx pluto[32284]: | emitting length of ISAKMP Hash
> > Payload: 24
> > May 28 18:48:07 uxcasxxx pluto[32284]: | ***emit ISAKMP Notification
> > Payload:
> > May 28 18:48:07 uxcasxxx pluto[32284]: |    next payload type:
> > ISAKMP_NEXT_NONE
> > May 28 18:48:07 uxcasxxx pluto[32284]: |    DOI: ISAKMP_DOI_IPSEC
> > May 28 18:48:07 uxcasxxx pluto[32284]: |    protocol ID: 1
> > May 28 18:48:07 uxcasxxx pluto[32284]: |    SPI size: 0
> > May 28 18:48:07 uxcasxxx pluto[32284]: |    Notify Message Type:
> > NO_PROPOSAL_CHOSEN
> > May 28 18:48:07 uxcasxxx pluto[32284]: | emitting 0 raw bytes of spi
> > into ISAKMP Notification Payload
> > May 28 18:48:07 uxcasxxx pluto[32284]: | spi
> > May 28 18:48:07 uxcasxxx pluto[32284]: | emitting length of ISAKMP
> > Notification Payload: 12
> >
> >
> > Regards,
> > Saravanan N
> ================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120530/5b0d4a4f/attachment.html>

More information about the Users mailing list