[strongSwan] Users Digest, Vol 44, Issue 24

A Lee aganguly14 at gmail.com
Tue Sep 17 11:33:23 CEST 2013


Hi,

Thanks for the suggestions you provided.

The suggestion you provided -----

a) change kernel version.
b) downgrade strongswan to 4.3.9.
c) rebuild the code with the solution provided.


I have tried b) and c) but the same error persists.

for b) i have installed version 4.3.7.

I guess i have to try option a) as only this is left.


Thanks and Regards,
Avishek Ganguly


On Tue, Sep 17, 2013 at 3:30 PM, <users-request at lists.strongswan.org> wrote:

> Send Users mailing list submissions to
>         users at lists.strongswan.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://lists.strongswan.org/mailman/listinfo/users
> or, via email, send a message with subject or body 'help' to
>         users-request at lists.strongswan.org
>
> You can reach the person managing the list at
>         users-owner at lists.strongswan.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Users digest..."
>
>
> Today's Topics:
>
>    1. Re: Netlink error Invalid Argument(22) (Thomas Egerer)
>    2. Re: IKev1 + eap-tls possible? (Martin Willi)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 17 Sep 2013 08:43:52 +0200
> From: Thomas Egerer <hakke_007 at gmx.de>
> Subject: Re: [strongSwan] Netlink error Invalid Argument(22)
> To: A Lee <aganguly14 at gmail.com>
> Cc: users at lists.strongswan.org
> Message-ID: <5237FA28.7070509 at gmx.de>
> Content-Type: text/plain; charset=ISO-8859-1
>
> On 09/17/2013 05:45 AM, A Lee wrote:
> > Hi,
> >
> > Thanks for suggestion.
> >
> > Kernel module for sha256 is already there and also loaded.
> >
> > My kernel 2.6.18-128.el5
> >
> > Also sha2 support is there.
> >
> > output of 'grep sha2 /proc/crypto' is ----
> >
> > name:         sha256 driver:          sha256-generic module:       sha256
> Hi,
>
> charon request the crypto algorithm 'hmac(sha256)' (this was
> changed with 4.3.6), while your kernel algorithm list for ipsec
> (xfrm) provides this algorithm under the name 'sha256'.
> Bottom line is, you need to
> a) update your kernel to at least 2.6.19,
> b) downgrade your strongswan version to 4.3.5,
> c) modify your strongswan-source and rebuild like this:
>
> diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
> b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
> index 2f8cb6b..9a1330f 100644
> --- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
> +++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
> @@ -211,7 +211,7 @@ static kernel_algorithm_t integrity_algs[] = {
>         {AUTH_HMAC_SHA1_96,                     "sha1"
>      },
>         {AUTH_HMAC_SHA1_160,            "hmac(sha1)"            },
>         {AUTH_HMAC_SHA2_256_96,         "sha256"                        },
> -       {AUTH_HMAC_SHA2_256_128,        "hmac(sha256)"          },
> +       {AUTH_HMAC_SHA2_256_128,        "sha256"                        },
>         {AUTH_HMAC_SHA2_384_192,        "hmac(sha384)"          },
>         {AUTH_HMAC_SHA2_512_256,        "hmac(sha512)"          },
>  /*     {AUTH_DES_MAC,                          "***"
>       }, */
>
> I would not recommend b), so if you really need to stick to your
> kernel-version, try option c).
>
> Hope that helps,
>
> Cheers,
> Thomas
>
>
>
> ------------------------------
>
> Message: 2
> Date: Tue, 17 Sep 2013 10:13:13 +0200
> From: Martin Willi <martin at strongswan.org>
> Subject: Re: [strongSwan] IKev1 + eap-tls possible?
> To: WorkingMan <signup_mail2002 at yahoo.com>
> Cc: users at lists.strongswan.org
> Message-ID: <1379405593.2996.21.camel at martin>
> Content-Type: text/plain; charset="UTF-8"
>
> Hi,
>
> > Is it possible to make ikev1 client (ex: ios) work with eap-radius and
> eap-
> > tls?
>
> No. IKEv1 does not use EAP, so you definitely can't run any EAP method
> between the client and the IPsec gateway.
>
> > Only xauth-eap seems to make ikev1 work with FreeRadius
>
> xauth-eap just takes XAuth credentials and verifies them over EAP. But
> this works only for passwords (or tokens), XAuth is not involved in
> IKEv1 certificate authentication.
>
> > I was thinking xauth-eap works fine except for the password part. Also I
> would
> > like the client certificate to be authenticated by RADIUS (so things are
> > centralized in one place for authentication).
>
> IKEv1 certificate authentication is part of the core IKEv1 protocol and
> not XAuth. There are currently no hooks in strongSwan to delegate
> signature verification to a third party, because this hardly makes
> sense.
>
> If you really need something like that, you could replace the IKEv1
> public key authenticator [1] by something that delegates verification to
> a third party.
>
> Instead of doing such a non-trivial extension, I'd recommend to do
> signature verification on the IPsec gateway, and use eap-radius just for
> accounting on your AAA server.
>
> Regards
> Martin
>
> [1]
> http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libcharon/sa/ikev1/authenticators/pubkey_v1_authenticator.c
>
>
>
>
> ------------------------------
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>
> End of Users Digest, Vol 44, Issue 24
> *************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130917/ac2ee900/attachment.html>


More information about the Users mailing list