[strongSwan] failure with ike using sha2
Ko, HsuenJu
HsuenJu.Ko at stratus.com
Fri Mar 27 18:00:49 CET 2015
Hi Noel,
Thank you for the help. I will give it a try.
Bettina
-----Original Message-----
From: Noel Kuntze [mailto:noel at familie-kuntze.de]
Sent: Friday, March 27, 2015 12:36 PM
To: Ko, HsuenJu; users at lists.strongswan.org
Subject: Re: [strongSwan] failure with ike using sha2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello Bettina,
Yes, try loading the "hmac" plugin first.
To change the load order of the plugins, you need to set charon.load in strongswan.conf to the list of plugins you want to load.
As a starting point for the list, you can take the "loaded plugins"
list in the output of "ipsec statusall".
For the syntax of the file, look at the man page for strongswan.conf
Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 27.03.2015 um 16:33 schrieb Ko, HsuenJu:
> Hi Noel,
> Here is some output from ipsec statusall.
>
> Status of IKE charon daemon (strongSwan 5.1.1, VOS OpenVOS Release 18.0.0af, i786):
> ...
> loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509
> revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey pem
> openssl fips-prf xcbc cmac hmac attr kernel-pfkey kernel-pfroute
> resolve socket-default stroke updown xauth-generic
>
> Here is some output from ipsec listall.
>
> List of registered IKE algorithms:
>
> encryption: DES_CBC[des] 3DES_CBC[des] IDEA_CBC[openssl] CAST_CBC[openssl] BLOWFISH_CBC[openssl] NULL[openssl]
> AES_CBC[aes] CAMELLIA_CBC[openssl] DES_ECB[des] RC2_CBC[rc2]
> integrity: HMAC_MD5_96[openssl] HMAC_SHA1_96[openssl] AES_XCBC_96[xcbc] HMAC_MD5_128[openssl] HMAC_SHA1_160[openssl]
> AES_CMAC_96[cmac] HMAC_SHA2_256_128[openssl] HMAC_SHA2_384_192[openssl] HMAC_SHA2_512_256[openssl]
> HMAC_SHA1_128[openssl] HMAC_SHA2_256_256[openssl] HMAC_SHA2_384_384[openssl] HMAC_SHA2_512_512[openssl]
> CAMELLIA_XCBC_96[xcbc]
> aead: AES_GCM_8[openssl] AES_GCM_12[openssl] AES_GCM_16[openssl]
> hasher: HASH_MD4[openssl] HASH_MD5[md5] HASH_SHA1[sha1] HASH_SHA224[sha2] HASH_SHA256[sha2] HASH_SHA384[sha2]
> HASH_SHA512[sha2]
> prf: PRF_HMAC_MD5[openssl] PRF_HMAC_SHA1[openssl] PRF_AES128_XCBC[xcbc] PRF_HMAC_SHA2_256[openssl]
> PRF_HMAC_SHA2_384[openssl] PRF_HMAC_SHA2_512[openssl]PRF_AES128_CMAC[cmac] PRF_FIPS_SHA1_160[fips-prf]
> PRF_KEYED_SHA1[sha1] PRF_CAMELLIA128_XCBC[xcbc]
> dh-group: MODP_768[openssl] MODP_1024[openssl] MODP_1536[openssl] MODP_2048[openssl] MODP_3072[openssl]
> MODP_4096[openssl] MODP_6144[openssl] MODP_8192[openssl] ECP_256[openssl] ECP_384[openssl]
> ECP_521[openssl] MODP_1024_160[openssl] MODP_2048_224[openssl] MODP_2048_256[openssl] ECP_192[openssl]
> ECP_224[openssl] ECP_224_BP[openssl] ECP_256_BP[openssl] ECP_384_BP[openssl] ECP_512_BP[openssl]
> MODP_CUSTOM[openssl]
> random-gen: RNG_WEAK[openssl] RNG_STRONG[random] RNG_TRUE[random]
> nonce-gen: [nonce]
>
>
> Here is just very simple connection.
>
> conn test_14
> left=10.2.14.122
> leftauth=pubkey
> leftcert=test_2.14_cert_ipv4.der
> right=10.2.14.120
> esp=aes128-sha256-modp2048!
> ike=aes128-sha512-modp2048!
> keyingtries=8
> rightauth=pubkey
>
>
> It looks like both openssl and hmac supports that. Should I try load hmac first? How do I change that order?
>
> Thanks!
> Bettina
>
> -----Original Message-----
> From: Noel Kuntze [mailto:noel at familie-kuntze.de]
> Sent: Friday, March 27, 2015 11:19 AM
> To: Ko, HsuenJu; users at lists.strongswan.org
> Subject: Re: [strongSwan] failure with ike using sha2
>
> Hello Bettina,
>
> First, you have to find out what plugin currently provides those algorithms.
> Do that by examining the list of loaded plugins in the output of "ipsec statusall".
> On my box, sha1 and sha2 can be either supplied by the af-alg, hmac or openssl plugin.
> The plugin which is loaded first supplies them.
>
> To make your life easier, I advise to post the list of loaded plugins here, so we can look at it and help you.
> Furthermore, please state what version of strongswan you are using and what the content of your strongswan.conf is.
>
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
>
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 27.03.2015 um 16:12 schrieb Ko, HsuenJu:
> > Hi,
> > Thanks for the information. How do I find out which plugin to try?
>
>
> > Bettina
>
> > -----Original Message-----
> > From: users-bounces at lists.strongswan.org
> > <mailto:users-bounces at lists.strongswan.org>
> > [mailto:users-bounces at lists.strongswan.org] On Behalf Of Noel Kuntze
> > Sent: Friday, March 27, 2015 11:12 AM
> > To: users at lists.strongswan.org <mailto:users at lists.strongswan.org>
> > Subject: Re: [strongSwan] failure with ike using sha2
>
> > Hello,
>
> > That sounds like the plugin that provides those algorithms is broken.
> > You can try to work around that by making charon load another plugin, which provides the PRF algorithms for those signature algorithms, before the one you are using right now.
>
> > Mit freundlichen Grüßen/Regards,
> > Noel Kuntze
>
> > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> > Am 27.03.2015 um 16:05 schrieb Ko, HsuenJu:
> >> Hi ,
>
> >> I got error of “key derivation failed” when I configured ike using sha2. I don’t have problem with md5 or sha1. And I am using strongswan 5.1.1. Here is the corresponding log. Can someone tell me what I did wrong or is this a bug?
>
>
>
> >> Thanks!
>
> >> Bettina
>
>
>
>
>
> >> ike=aes128-sha256-modp2048!
>
>
>
> >> Mar 27 10:15:41 11[IKE] SKEYSEED => 32 bytes @ 0x41c89760
>
> >> Mar 27 10:15:41 11[IKE] 0: 40 06 D6 2C 40 06 D8 24 40 F5 00 20 41 C7 BB 20 @.., at ..$@.. A..
>
> >> Mar 27 10:15:41 11[IKE] 16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
>
> >> Mar 27 10:15:41 11[IKE] key derivation failed
>
>
>
>
>
> >> ike=aes128-sha384-modp2048!
>
>
>
> >> Mar 27 10:46:03 09[IKE] SKEYSEED => 48 bytes @ 0x41c8bf70
>
> >> Mar 27 10:46:03 09[IKE] 0: 43 36 20 31 35 20 31 34 20 30 42 20 38 38 20 36 C6 15 14 0B 88 6
>
> >> Mar 27 10:46:03 09[IKE] 16: 46 20 43 38 20 38 45 20 35 34 20 42 44 20 38 42 F C8 8E 54 BD 8B
>
> >> Mar 27 10:46:03 09[IKE] 32: 20 31 46 20 32 38 20 36 44 20 33 41 20 20 2E 2E 1F 28 6D 3A ..
>
> >> Mar 27 10:46:03 09[IKE] key derivation failed
>
>
>
> >> ike=aes128-sha512-modp2048!
>
>
>
> >> Mar 27 10:48:17 09[IKE] SKEYSEED => 64 bytes @ 0x41c8bf70
>
> >> Mar 27 10:48:17 09[IKE] 0: 31 45 20 38 33 20 31 33 20 38 39 20 31 36 20 34 1E 83 13 89 16 4
>
> >> Mar 27 10:48:17 09[IKE] 16: 36 20 35 32 20 32 30 20 39 34 20 31 43 20 44 36 6 52 20 94 1C D6
>
> >> Mar 27 10:48:17 09[IKE] 32: 20 38 39 20 37 38 20 42 43 20 39 41 20 20 69 2E 89 78 BC 9A i.
>
> >> Mar 27 10:48:17 09[IKE] 48: 2E 2E 2E 2E 46 52 20 2E 2E 2E 2E 78 2E 2E 0A 20 ....FR ....x...
>
> >> Mar 27 10:48:17 09[IKE] key derivation failed
>
>
>
> >> _______________________________________________
> >> Users mailing list
> >> Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> >> https://lists.strongswan.org/mailman/listinfo/users
>
> > _______________________________________________
> > Users mailing list
> > Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> > https://lists.strongswan.org/mailman/listinfo/users
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJVFYbzAAoJEDg5KY9j7GZYgScP/j3n7jXwozj65xL0uaoznFbb
PWK4rtacGO5rK46ta1tRTflqCXaROkI9ZpYt4NjHNIUuppUwJwsJPbuvqkoDD2gV
SEcGB8yWM5ZksE0OtoeUcd0tpw0ohKa6o50vHnfR631xR3QElz56bvh9ctInYuTK
y6XZ4G8v2SIEbjR82MRoOTinRblArCkcOd2eXZneXZnXqPZPLLOQodnhVZudSeZp
heE2YhlhVvdgpvkUKN+7B6xEn8cZ5syi0Pd0onXk4a8b37s135uxwoqSs18PrNgF
JDZAp/E7dim1Mu9djqY+Rr5RziTpJG/3e4tmvfgIXaXJ+kemQISIu1ltZBa85itY
kswWgzkXy53emOFsk4VV6bsoDidfgQYdhY8M9QIA4Pr/9XucDXsLsadbXPAoSNy3
r+9DBnLsYKv5dqO4dGSu2g7Er9W00nvLQtDINeAoaM7iXQGtN2BaPJARHdXc6MOz
g89qNtSn8Eg3SjvPzdLr2guzCS2F7xk0NnM12RAzo14Q/47mvaK2dZq/mks/bJNB
9EoZo/ekHaLkArUessYO78gcsiV7CCOkm7Kfc9uiRAQCUT3IMImpoGzeKO66d+I9
gq4lDBHl75VcB8y6fl8ClqPCB1Zwqlo7ugeJeNdL7fDX34qQI7Fg+Rbryd19El3v
VXVLGte22g2E6cYC2RPg
=2fhM
-----END PGP SIGNATURE-----
More information about the Users
mailing list