[strongSwan] VPN with preshared Key between BB10 and Raspberry-Pi

Christian Klugesherz christian.klugesherz at gmail.com
Sun Jul 17 09:57:26 CEST 2016


Hi Tobias

It is really, really difficult to get rid of the situation.
Relative to the objective, explained in this post, I have now compiled
strongswan on my raspberry.

Unfortunately there is still something which is missing, not working :-(
What I understood / syslog, is that the Received SA from my BB10,
didn't match with the SA from Strongswan

Is that linked to DES/DH ?
If yes, how to activate: Diffie-Hellman groups / DES: through
configure --enable ?
If the issue is comming form somewhere else ?

Many Thanks

Christian

PS: Configuration fails if I try to add: gmp or gcrypt
  configure: error: gcrypt library not found


Received proposals:
================
IKE:AES_CBC_256/AES_CBC_192/AES_CBC_128/3DES_CBC/DES_CBC/HMAC_SHA1_96/HMAC_MD5_96/PRF_HMAC_SHA1/PRF_HMAC_MD5/MODP_1024/MODP_768

Configured proposals:
=================
IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072,
IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/HMAC_MD5_96/AES_XCBC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_HMAC_SHA1/PRF_HMAC_MD5

Difference
========
By comparison what is missing
DES_CBC/MODP_1024/MODP_768

My configure
==========
$ ./configure --enable-aes --enable-des --enable-sha1 --enable-md4
--enable-md5 --enable-eap-md5 --enable-eap-identity --enable-hmac
--disable-gmp --enable-kernel-libipsec --enable-dhcp
--enable-eap-mschapv2 --enable-eap-dynamic --enable-kernel-netlink
--enable-dnskey --enable-attr --enable-resolve --enable-socket-default
--prefix=/usr --sysconfdir=/etc

2016-07-14 19:57 GMT+02:00 Christian Klugesherz
<christian.klugesherz at gmail.com>:
> Hi Tobias,
>
> Great help.
> I will compile strongswan on raspberry  and will revert to you.
>
> Merci
>
> Christian
>
>
>   Message d'origine
> De: Tobias Brunner
> Envoyé: jeudi 14 juillet 2016 11:23
> À: Christian Klugesherz
> Cc: Users at lists.strongswan.org
> Objet: Re: [strongSwan] VPN with preshared Key between BB10 and Raspberry-Pi
>
> Hi Christian,
>
>> No I don't have any error on the startup
>
> I was not referring to the console output. Did you check the log?
>
>> !! Your strongswan.conf contains manual plugin load options for charon.
>> !! This is recommended for experts only, see
>> !! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad
>
> Did you read the above document?
>
>> I guess that : eap-mschapv2 is not loaded, even I have require it in
>> strongswan.conf
>> How can I fix it ?
>
> It can't be loaded if it's not available. And according to `ipsec
> listall` MD4 and DES are both missing, which are required to implement
> the EAP-MSCHAPv2 protocol. So even if the plugin would be available it
> can't be used. These algorithms are provided by the `des` and `md4`
> plugins or one of the crypto wrappers i.e. `openssl` or `gcrypt` - none
> of these are currently loaded on your system. Neither is the
> eap-identity plugin, which has no other dependencies.
>
> If you built strongSwan yourself you have to rebuild it with the
> appropriate `--enable-...` options (run `make clean` before rebuilding).
> If you installed strongSwan from distribution packages you might have
> to install additional packages that provide these plugins.
>
> Regards,
> Tobias
>


More information about the Users mailing list