[strongSwan] Questions for getting Strongswan up and running

Noel Kuntze noel at familie-kuntze.de
Tue May 6 17:11:28 CEST 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Brian,

Plugins in StrongSwan provide suppoer for cryptographic operations, like Diffie-Hellman keyexchanges and ciphers.
StrongSwan itself only comes with a small number of plugins for ciphers like aes or des, but not DH, which is used to negotiate the key in phase one.
Plugins provide access to 3rd party APIs, like the ones of openssl and libgmp.
The default proposal StrongSwan sends includes a DH exchange over a modulus of 2048 bit, which is provided by either libgmp or openssl.
It seems you do not have libgmp installed on your box. Please install it, then try again. As an alternative, you could also use openssl.
To use openssl instead of libgmp for cryptography, just replace gmp with openssl in the load argument in strongswan.conf.

Regards,
Noel Kuntze

Am 06.05.2014 16:54, schrieb Brian Watson:
> I also have done the following:
>
> 1. ipsec up home
>
> 2. I get the following in response
> initiating IKE_SA home[1] to 127.0.0.2
> configured DH group MODP_2048 not supported
> tried to check-in and delete nonexisting IKE_SA
> establishing connection 'home' failed
>
> Thanks!
>    Brian
>
>
> On Tue, May 6, 2014 at 9:06 AM, Brian Watson <bwats9999 at gmail.com <mailto:bwats9999 at gmail.com>> wrote:
>
>     I have setup strongswan with the config files on 2 virtual boxes running Ubuntu 14.04. I have the following with the 2nd virtual machine basically mirroring the first with the exception of the ip address being swapped around:
>
>     1. I setup the config files on 2 Ubuntu virtualbox machines
>       ipsec.conf
>       -------------------------
>       config setup
>
>       conn %default
>               ikelifetime=60m
>               keylife=20m
>               rekeymargin=3m
>               keyingtries=1
>               keyexchange=ikev2  
>               authby=secret
>
>       conn home
>               left=127.0.0.2
>               leftfirewall=no
>               right=127.0.0.3
>               auto=add
>
>       ipsec.secrets
>       ------------------------------
>       127.0.0.2 : PSK <shared secret>
>
>       strongswan.conf
>       -------------------------------
>       charon {
>           load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default   updown
>       }
>
>     2. I issue "sudo ipsec start" and status commands and get the following:
>
>     Starting strongSwan 5.1.2 IPsec [starter]...
>     !! Your strongswan.conf contains manual plugin load options for charon.
>     !! This is recommended for experts only, see
>     !! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad
>     brianswan3 at brianswan3-VirtualBox:/etc$ sudo ipsec status
>     Security Associations (0 up, 0 connecting):
>       none
>
>     3. The fact that it shows no security associations implies to me that it didn't work. Is this true and is there something obvious that  I'm doing wrong?
>
>     Thanks,
>        Brian
>
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJTaPugAAoJEDg5KY9j7GZY1k4P/07ZuMBPLjWYfXLYYIKwpV13
6y330qYupuCmU+bLfxCcYZMRnXQIQGKU7mLlGMH6eNYG4TvIqAJsVCY8SywoduYT
5Aw/V9cthCC6M5a2gfdVzzxvGR9hyjhzbAdlqpPzgd761XCXhRdqLb50y286B19R
ROzYqW4Xamj6YzQbC6qy9XPGZDOx6m+RXJ8+FRvCEE7upmvzYOvUHKQySUiIigzA
97xAaEmu4FpDdtLwLoEN8/avGHyZTfjaY+ATs++tGMTFa20u/IWLgaYsSKDwDUeK
dDJI0cP+FzOgTDmp+zO8aN7A5/973KpNT3c9J4WhnaHzKBxEg+9eB8OdEqEN9NYp
Pf1ewifWEdcoui7iiJNm7mrykXKb3ilvB69pj7kuJJZUyO4o7Z3xG0W5Exi735nR
FF3FXR6M+6tCpB4EbM/4zodx2sfWkOcoyDzJbraeopW5GPpdczdO/fYqZArculS8
s0UoWm7yoWVc8dAxUbRxOgdZ2HBqQptGjuyxpd0vnOiSaADUlw0FSEPFE/Z0+XOJ
MUcBxbcOHYoiwHSHr9nirdUpHiUWzQv5KvkdQnoDyk4kWEk71r+6KeeM0UUfyq80
2xVy90fkinYQeMdnf9P2yLFDFJ60I38117hjEigMYFQs2EkRPK090YohZMNN406m
pxd36FvREuY/xcMlvyNH
=+Qua
-----END PGP SIGNATURE-----



More information about the Users mailing list