[strongSwan] received netlink error: No such file or directory (2) -- 96-bit truncation issue?
Aaron Wood
woody77 at gmail.com
Thu Jan 16 22:43:31 CET 2014
All,
I'm trying to setup StrongSwan (4.5.2) on a fairly old kernel (2.6.31)
that's been banged on by a couple different people (including a bunch of
binary blob drivers), it's running a variant of OpenWRT.
At this point, since I can successfully use the same configuration on other
platforms (newer vanilla OpenWRT builds), and due to the following errors
from charon, I think it's due to the 96-bit truncation of hashes in the
kernel:
Jan 16 18:21:32 15[KNL] adding SAD entry with SPI c02c6c28 and reqid {2}
Jan 16 18:21:32 15[KNL] using encryption algorithm AES_CBC with key size
128
Jan 16 18:21:32 15[KNL] using integrity algorithm HMAC_SHA1_96 with key
size 160
Jan 16 18:21:32 15[KNL] received netlink error: No such file or directory
(2)
....
Jan 16 18:32:57 11[KNL] adding SAD entry with SPI c505fe3b and reqid {3}
Jan 16 18:32:57 11[KNL] using encryption algorithm AES_CBC with key size
128
Jan 16 18:32:57 11[KNL] using integrity algorithm HMAC_MD5_96 with key
size 128
Jan 16 18:32:57 11[KNL] received netlink error: No such file or directory
(2)
Previous discussions on this mailing list suggested using the
esp=aes128-sha256_96 option, yet that's how I got the first error above.
I've tried different hashes, and I always get either the above errors, or
a "not implemented (89)" error, if I try to use something like sha384.
I'm actually starting to wonder if my kernel has been patched to not
incorrectly truncate, but I can't seem to talk strongswan into using
128-bit lengths with sha or md5. It always tries to use 96-bit lengths.
I do know that the sha and md5 algorithms exist, they're being loaded
correctly, and when I do an lsmod I see:
sha_generic
md5_generic
hmac
aes_generic
etc.
Any suggestions on where to go to narrow this down? Any pointers into
which parts of the kernel source to look at to see if it's not truncated?
And if so, can strongswan be rebuilt with an option to not try to use the
truncated lengths? Attempt to build a newer version of strongswan?
Any pointers on where to head next would greatly be appreciated.
Thanks,
Aaron
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140116/b5aa3cbe/attachment.html>
More information about the Users
mailing list