[strongSwan] Issue with AES-GCM algo on strongswan

Sunny Kumar Sunny2.Kumar at aricent.com
Tue Jul 7 09:11:23 CEST 2015

Hi ,

Thanks for the help, I have added “aes128gcm128” in strongswan.conf but still getting the same issue.

load = aes128gcm128 aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default fips-prf eap-identity eap-aka eap-aka-3gpp2 updown

I checked the list of registered IKE algorithms and I cant see AES-GCM in the list.

List of registered IKE algorithms:

  encryption: AES_CBC[aes] 3DES_CBC[des] DES_CBC[des] DES_ECB[des]
  integrity:  HMAC_SHA1_96[hmac] HMAC_SHA1_128[hmac] HMAC_SHA1_160[hmac] HMAC_MD5_96[hmac] HMAC_MD5_128[hmac]
                      HMAC_SHA2_256_128[hmac] HMAC_SHA2_256_256[hmac] HMAC_SHA2_384_192[hmac] HMAC_SHA2_384_384[hmac]
                      HMAC_SHA2_512_256[hmac] HMAC_SHA2_512_512[hmac]
  hasher:     HASH_SHA1[sha1] HASH_SHA224[sha2] HASH_SHA256[sha2] HASH_SHA384[sha2] HASH_SHA512[sha2] HASH_MD5[md5]
  prf:             PRF_KEYED_SHA1[sha1] PRF_HMAC_SHA1[hmac] PRF_HMAC_MD5[hmac] PRF_HMAC_SHA2_256[hmac]
                      PRF_HMAC_SHA2_384[hmac] PRF_HMAC_SHA2_512[hmac] PRF_FIPS_SHA1_160[fips-prf]
  dh-group:   MODP_2048[gmp] MODP_2048_224[gmp] MODP_2048_256[gmp] MODP_1536[gmp] MODP_3072[gmp] MODP_4096[gmp]
              MODP_6144[gmp] MODP_8192[gmp] MODP_1024[gmp] MODP_1024_160[gmp] MODP_768[gmp] MODP_CUSTOM[gmp]
  random-gen: RNG_STRONG[random] RNG_TRUE[random]
  nonce-gen:  [nonce]

Please let me know if I am missing something.


From: users-bounces at lists.strongswan.org [mailto:users-bounces at lists.strongswan.org] On Behalf Of Zhuyj
Sent: Tuesday, July 07, 2015 11:11 AM
To: sunny kumar
Cc: users at lists.strongswan.org
Subject: Re: [strongSwan] Issue with AES-GCM algo on strongswan

Load all modules in strong swan.cnf

发自我的 iPhone

在 2015年7月7日,13:33,sunny kumar <sunnykumar.18jun at gmail.com<mailto:sunnykumar.18jun at gmail.com>> 写道:

I am using strongswan client for EAP-AKA scenario.

In ipsec.conf I have added following parameter for IKE SA negotiation :


When client (strongswan) recieves IKE_SA_INIT response it gives an error --
ENCRYPTION_ALGORITHM AES_GCM_16 (key size 128) not supported.

Can anyone advice on above.

Thanks and regards,
Users mailing list
Users at lists.strongswan.org<mailto:Users at lists.strongswan.org>
"DISCLAIMER: This message is proprietary to Aricent and is intended solely for the use of the individual to whom it is addressed. It may contain privileged or confidential information and should not be circulated or used for any purpose other than for what it is intended. If you have received this message in error, please notify the originator immediately. If you are not the intended recipient, you are notified that you are strictly prohibited from using, copying, altering, or disclosing the contents of this message. Aricent accepts no responsibility for loss or damage arising from the use of the information transmitted by this email including damage from virus."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150707/fcbb83ea/attachment.html>

More information about the Users mailing list