[strongSwan] sha256 failing with netlink error

Andreas Steffen andreas.steffen at strongswan.org
Fri Aug 12 05:56:38 CEST 2016


Hi Lakshmi,

SHA-256 was implemented incorrectly for ESP with a 96 bit instead
of the standard 128 bit truncation in Linux kernels older than
2.6.33.

Workarounds:

1) Update to a kernel >= 2.6.33 (2.6.21 is ancient!)

2) If you run strongSwan on both VPN end points you can select the
    incorrect non-standard 96 bit truncation size by configuring

    esp=aes128-sha256_96

    In order for this non-standard algorithm ID to be accepted it might
    also be necessary to activate the sending of the strongSwan vendor id
    by setting

    charon {
      send_vendor_id = yes
    }

    in /etc/strongswan.conf

Regards

Andreas

On 12.08.2016 03:04, Lakshmi Prasanna wrote:
> Experts,
>
> Need urgent help.
>
> When I try to use strongswan with SHA256, I see that the negotiation
> fails at child SA creation time. I am using
>     strongSwan 5.1.3, Linux 2.6.21 version). Following is the log:
>
> arsed CREATE_CHILD_SA response 4 [ N(USE_TRANSP) SA No TSi TSr ]
>
> received netlink error: Invalid argument (22)
>
> unable to add SAD entry with SPI c28f19c1
>
> received netlink error: Invalid argument (22)
>
> unable to add SAD entry with SPI c088894f
>
> unable to install inbound and outbound IPsec SA (SAD) in kernel
>
> failed to establish CHILD_SA, keeping IKE_SA
>
> sending DELETE for ESP CHILD_SA with SPI c28f19c1
>
>
> I have already tried the changes mentioned in
> https://lists.strongswan.org/pipermail/users/2013-September/005203.html
> and it doesnt seem to work.
>
> Is there any other fix for this issue?
>
> Rgds,
>
> Lakshmi
>
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4275 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160812/87c59dae/attachment.bin>


More information about the Users mailing list