[strongSwan] failure with ike using sha2

Ko, HsuenJu HsuenJu.Ko at stratus.com
Mon Mar 30 13:15:41 CEST 2015 

Hi Andreas,
Noel suggested me to rearrange the order of plugins being loaded and it worked if I loaded hmac plugin before opensssl plugin.  Please let me know if there is a fix for openssl since changing the  load order of plugin is not recommended.

Thanks!
Bettina

To answer your question,  I was able to load sha2 plugin successfully.  In the log it shows the following.


Mar 27 10:15:30 00[LIB] loading feature PRF:PRF_HMAC_SHA2_256 in plugin 'openssl'
Mar 27 10:15:30 00[LIB] loading feature PRF:PRF_HMAC_SHA2_384 in plugin 'openssl'
Mar 27 10:15:30 00[LIB] loading feature PRF:PRF_HMAC_SHA2_512 in plugin 'openssl'

Here is the information from ipsec statusall that I sent earlier.

List of registered IKE algorithms:

  encryption: DES_CBC[des] 3DES_CBC[des] IDEA_CBC[openssl] CAST_CBC[openssl] BLOWFISH_CBC[openssl] NULL[openssl]
              AES_CBC[aes] CAMELLIA_CBC[openssl] DES_ECB[des] RC2_CBC[rc2]
  integrity:  HMAC_MD5_96[openssl] HMAC_SHA1_96[openssl] AES_XCBC_96[xcbc] HMAC_MD5_128[openssl] HMAC_SHA1_160[openssl]
              AES_CMAC_96[cmac] HMAC_SHA2_256_128[openssl] HMAC_SHA2_384_192[openssl] HMAC_SHA2_512_256[openssl]
              HMAC_SHA1_128[openssl] HMAC_SHA2_256_256[openssl] HMAC_SHA2_384_384[openssl] HMAC_SHA2_512_512[openssl]
              CAMELLIA_XCBC_96[xcbc]
  aead:       AES_GCM_8[openssl] AES_GCM_12[openssl] AES_GCM_16[openssl]
  hasher:     HASH_MD4[openssl] HASH_MD5[md5] HASH_SHA1[sha1] HASH_SHA224[sha2] HASH_SHA256[sha2] HASH_SHA384[sha2]
              HASH_SHA512[sha2]
  prf:        PRF_HMAC_MD5[openssl] PRF_HMAC_SHA1[openssl] PRF_AES128_XCBC[xcbc] PRF_HMAC_SHA2_256[openssl]
              PRF_HMAC_SHA2_384[openssl] PRF_HMAC_SHA2_512[openssl] PRF_AES128_CMAC[cmac] PRF_FIPS_SHA1_160[fips-prf]
              PRF_KEYED_SHA1[sha1] PRF_CAMELLIA128_XCBC[xcbc]
  dh-group:   MODP_768[openssl] MODP_1024[openssl] MODP_1536[openssl] MODP_2048[openssl] MODP_3072[openssl]
              MODP_4096[openssl] MODP_6144[openssl] MODP_8192[openssl] ECP_256[openssl] ECP_384[openssl]
              ECP_521[openssl] MODP_1024_160[openssl] MODP_2048_224[openssl] MODP_2048_256[openssl] ECP_192[openssl]
              ECP_224[openssl] ECP_224_BP[openssl] ECP_256_BP[openssl] ECP_384_BP[openssl] ECP_512_BP[openssl]
              MODP_CUSTOM[openssl]
  random-gen: RNG_WEAK[openssl] RNG_STRONG[random] RNG_TRUE[random]
  nonce-gen:  [nonce]

-----Original Message-----
From: Andreas Steffen [mailto:andreas.steffen at strongswan.org]
Sent: Friday, March 27, 2015 5:01 PM
To: Ko, HsuenJu; users at lists.strongswan.org
Subject: Re: [strongSwan] failure with ike using sha2

Hi Bettina,

are you sure that you loaded the sha2 plugin because the HMAC-SHA2
algorithms for the prf_plus seem to fail. ipsec statusall should list
the sha2 plugin.

Regards

Andreas

On 03/27/2015 04:05 PM, Ko, HsuenJu wrote:
> Hi ,
>
> I got error of "key derivation failed" when I configured ike using sha2.
>  I don't have problem with md5 or sha1.  And I am using strongswan
> 5.1.1. Here is the corresponding log.  Can someone tell me what I did
> wrong or is this a bug?
>
>
>
> Thanks!
>
> Bettina
>
>
>
>
>
> ike=aes128-sha256-modp2048!
>
>
>
> Mar 27 10:15:41 11[IKE] SKEYSEED => 32 bytes @ 0x41c89760
>
> Mar 27 10:15:41 11[IKE]    0: 40 06 D6 2C 40 06 D8 24 40 F5 00 20 41 C7
> BB 20  @.., at ..$@.. A..
>
> Mar 27 10:15:41 11[IKE]   16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00 00  ................
>
> Mar 27 10:15:41 11[IKE] key derivation failed
>
>
>
>
>
> ike=aes128-sha384-modp2048!
>
>
>
> Mar 27 10:46:03 09[IKE] SKEYSEED => 48 bytes @ 0x41c8bf70
>
> Mar 27 10:46:03 09[IKE]    0: 43 36 20 31 35 20 31 34 20 30 42 20 38 38
> 20 36  C6 15 14 0B 88 6
>
> Mar 27 10:46:03 09[IKE]   16: 46 20 43 38 20 38 45 20 35 34 20 42 44 20
> 38 42  F C8 8E 54 BD 8B
>
> Mar 27 10:46:03 09[IKE]   32: 20 31 46 20 32 38 20 36 44 20 33 41 20 20
> 2E 2E   1F 28 6D 3A  ..
>
> Mar 27 10:46:03 09[IKE] key derivation failed
>
>
>
> ike=aes128-sha512-modp2048!
>
>
>
> Mar 27 10:48:17 09[IKE] SKEYSEED => 64 bytes @ 0x41c8bf70
>
> Mar 27 10:48:17 09[IKE]    0: 31 45 20 38 33 20 31 33 20 38 39 20 31 36
> 20 34  1E 83 13 89 16 4
>
> Mar 27 10:48:17 09[IKE]   16: 36 20 35 32 20 32 30 20 39 34 20 31 43 20
> 44 36  6 52 20 94 1C D6
>
> Mar 27 10:48:17 09[IKE]   32: 20 38 39 20 37 38 20 42 43 20 39 41 20 20
> 69 2E   89 78 BC 9A  i.
>
> Mar 27 10:48:17 09[IKE]   48: 2E 2E 2E 2E 46 52 20 2E 2E 2E 2E 78 2E 2E
> 0A 20  ....FR ....x...
>
> Mar 27 10:48:17 09[IKE] key derivation failed
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org<mailto:Users at lists.strongswan.org>
> https://lists.strongswan.org/mailman/listinfo/users
>


--
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org<mailto:andreas.steffen at strongswan.org>
strongSwan - the Open Source VPN Solution!          www.strongswan.org<http://www.strongswan.org>
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150330/ffd0636a/attachment.html>

More information about the Users mailing list