[strongSwan] failure with ike using sha2

Noel Kuntze noel at familie-kuntze.de
Fri Mar 27 16:18:33 CET 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Bettina,

First, you have to find out what plugin currently provides those algorithms.
Do that by examining the list of loaded plugins in the output of "ipsec statusall".
On my box, sha1 and sha2 can be either supplied by the af-alg, hmac or openssl plugin.
The plugin which is loaded first supplies them.

To make your life easier, I advise to post the list of loaded plugins here,
so we can look at it and help you.
Furthermore, please state what version of strongswan you are using 
and what the content of your strongswan.conf is.

Mit freundlichen Grüßen/Regards,
Noel Kuntze

Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 27.03.2015 um 16:12 schrieb Ko, HsuenJu:
> Hi,
> Thanks for the information.  How do I find out which plugin to try?
> 
> 
> Bettina
> 
> -----Original Message-----
> From: users-bounces at lists.strongswan.org [mailto:users-bounces at lists.strongswan.org] On Behalf Of Noel Kuntze
> Sent: Friday, March 27, 2015 11:12 AM
> To: users at lists.strongswan.org
> Subject: Re: [strongSwan] failure with ike using sha2
> 
> Hello,
> 
> That sounds like the plugin that provides those algorithms is broken.
> You can try to work around that by making charon load another plugin, which provides the PRF algorithms for those signature algorithms, before the one you are using right now.
> 
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
> 
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> 
> Am 27.03.2015 um 16:05 schrieb Ko, HsuenJu:
>> Hi ,
> 
>> I got error of “key derivation failed” when I configured ike using sha2.  I don’t have problem with md5 or sha1.  And I am using strongswan 5.1.1. Here is the corresponding log.  Can someone tell me what I did wrong or is this a bug?
> 
> 
> 
>> Thanks!
> 
>> Bettina
> 
> 
> 
> 
> 
>> ike=aes128-sha256-modp2048!
> 
> 
> 
>> Mar 27 10:15:41 11[IKE] SKEYSEED => 32 bytes @ 0x41c89760
> 
>> Mar 27 10:15:41 11[IKE]    0: 40 06 D6 2C 40 06 D8 24 40 F5 00 20 41 C7 BB 20  @.., at ..$@.. A..
> 
>> Mar 27 10:15:41 11[IKE]   16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> 
>> Mar 27 10:15:41 11[IKE] key derivation failed
> 
> 
> 
> 
> 
>> ike=aes128-sha384-modp2048!
> 
> 
> 
>> Mar 27 10:46:03 09[IKE] SKEYSEED => 48 bytes @ 0x41c8bf70
> 
>> Mar 27 10:46:03 09[IKE]    0: 43 36 20 31 35 20 31 34 20 30 42 20 38 38 20 36  C6 15 14 0B 88 6
> 
>> Mar 27 10:46:03 09[IKE]   16: 46 20 43 38 20 38 45 20 35 34 20 42 44 20 38 42  F C8 8E 54 BD 8B
> 
>> Mar 27 10:46:03 09[IKE]   32: 20 31 46 20 32 38 20 36 44 20 33 41 20 20 2E 2E   1F 28 6D 3A  ..
> 
>> Mar 27 10:46:03 09[IKE] key derivation failed
> 
> 
> 
>> ike=aes128-sha512-modp2048!
> 
> 
> 
>> Mar 27 10:48:17 09[IKE] SKEYSEED => 64 bytes @ 0x41c8bf70
> 
>> Mar 27 10:48:17 09[IKE]    0: 31 45 20 38 33 20 31 33 20 38 39 20 31 36 20 34  1E 83 13 89 16 4
> 
>> Mar 27 10:48:17 09[IKE]   16: 36 20 35 32 20 32 30 20 39 34 20 31 43 20 44 36  6 52 20 94 1C D6
> 
>> Mar 27 10:48:17 09[IKE]   32: 20 38 39 20 37 38 20 42 43 20 39 41 20 20 69 2E   89 78 BC 9A  i.
> 
>> Mar 27 10:48:17 09[IKE]   48: 2E 2E 2E 2E 46 52 20 2E 2E 2E 2E 78 2E 2E 0A 20  ....FR ....x...
> 
>> Mar 27 10:48:17 09[IKE] key derivation failed
> 
> 
> 
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
> 
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJVFXTIAAoJEDg5KY9j7GZYXTMP/1egu5Gq35iybJ59jLi+hAf7
yqzvXCh0nZgOlS6G7bWVBwcRl1y+UT1tzcYcxg2WNHQHLoiCyawHMSBwtQalztMA
e9uKmieIMH2iEKuiv/pk34aP6hJ9ekv42Uo7r5Udj+VDgslyfw4Bc3KVRL75MVyb
b9rRV7JIBMfNhmC8mJk2DkLP34C50JuXMeIG3+8RehbP1NHLxUi4Pc5qHLOK3BGy
YkvckuBoynu90PR5WbkuVnn9c+ABQD218h8IDlHXwOD/Cyjdhg0j9qKsrJA7i9xy
VQ2RMvLQtzuFMdLJiBXGNlPFGWQEXMPyCQY5ZJWDeics6yTDNFyf7dKUDFLTDURk
GGADgcTFgAbyvmikZCaVC7EYlOVmIrH3OvkJIo5ZlVzvQ/nzzexnZe5Ldif95tns
iOGJIq6Tx9fYGm19bzs76btma8nFjZC+/mvESi5PnXhKFTCY69yzV2wOteuIichf
rtO7/j4V9UAWbnnFeQC0PRYYHDU0BvqjD7wLVZmeiU7ruHkB0t2a1g9ZIFpjIy3E
azfFWzZF4rJpeMP72c2Z6ZV2xjBXti0tOahbMFnBLmQOCcBCHrZP4Mn+P1nM8DTh
SLEbaIcLzp1LVnJgkJkV4r23+X8UEpY2uPNtW9Q/scGVsYTXc0y/SaDoRybBPUCm
TdT5SB+XCxJj4zCxOROs
=grsj
-----END PGP SIGNATURE-----


More information about the Users mailing list