[strongSwan] aes256gcm12 is not working for me
Kapil Adhikesavalu
kapil20084 at gmail.com
Wed Jun 22 07:11:22 CEST 2016
Seems you are hitting the Aes-ni 256 bit limitation. You have couple of
options,
1. Move to kernel 4.1 or see if patches are available to port it to old
kernel.
2. Try removing this kernel module, it might work(may be not) without the
Aes-ni instructions support. If it works, throughput will be less.
Thanks
Kapil
On 22-Jun-2016 8:54 AM, "sandeep dubey" <sandeep.sanash at gmail.com> wrote:
> Thanks Kapil for quick reply.
>
> I grep for 'intel_aesni' at /proc/crypto and found below -
>
> module : aesni_intel
> driver : crc32c-intel
>
> It seems that our EC2 instance is on that kernel.
>
> On Wed, Jun 22, 2016 at 8:42 AM, Kapil Adhikesavalu <kapil20084 at gmail.com>
> wrote:
>
>> Hi Sandeep,
>>
>> Are you by any chance using intel_aesni klm (check /proc/crypto) ? If so,
>> aesgcm256 is not supported until kernel 4.1.
>>
>> Otherwise you can check the logs to see for any errors.
>>
>> Related to GCM256 - https://wiki.strongswan.org/issues/341
>>
>> Thanks
>> Kapil
>> On 22-Jun-2016 7:12 AM, "sandeep dubey" <sandeep.sanash at gmail.com> wrote:
>>
>>> Hi Andreas,
>>>
>>> Thanks for the reply, I tried but it didn't worked for me.
>>>
>>> my config -
>>>
>>> conn support-node
>>> authby=secret
>>> auto=start
>>> type=tunnel
>>> left=172.19.17.23
>>> leftid=5.6.7.8
>>> leftsubnet=172.19.0.0/16
>>> leftauth=psk
>>> right=1.2.3.4
>>> rightsubnet=10.10.0.0/16
>>> rightauth=psk
>>> ike=aes256gcm12-modp1536
>>> esp=aes256gcm12-modp1536
>>>
>>> On Tue, Jun 21, 2016 at 6:53 PM, Andreas Steffen <
>>> andreas.steffen at strongswan.org> wrote:
>>>
>>>> Hi Sandeep,
>>>>
>>>> since AES-GCM is an authenticated encryption algorithm
>>>> no hash algorithm is needed in the esp statement:
>>>>
>>>> esp=aes256gcm12-modp1536
>>>>
>>>> Regards
>>>>
>>>> Andreas
>>>>
>>>>
>>>> On 21.06.2016 16:27, sandeep dubey wrote:
>>>>
>>>>> Hi, s
>>>>>
>>>>> I am new to strongswan world and have successfully setup a tunnel
>>>>> between two AWS's VPC, But i have to make some changes in config to
>>>>> comply with security requirement which is not working even after
>>>>> multiple tries. I went through old bug for intel-eni which was fixed
>>>>> but
>>>>> couldn't find any way to check and confirm if i have that fix or not.
>>>>>
>>>>> Bug ref. - http://wiki.strongswan.org/issues/341
>>>>> Fix ref. -
>>>>> https://marc.info/?l=linux-crypto-vger&m=139388786131685&w=2
>>>>>
>>>>> The only difference in my working config and not working config is as
>>>>> below -
>>>>>
>>>>> Working with -
>>>>> ike=aes128-sha1-modp1024
>>>>> esp=aes128-sha1-modp1024
>>>>>
>>>>> Not working with -
>>>>> ike=aes256gcm12-sha256-modp1536
>>>>> esp=aes256gcm12-sha256-modp1536
>>>>>
>>>>>
>>>>> I am using ikev2 on EC2 instance with kernel 3.13.0-85-generic
>>>>> #129-Ubuntu SMP.
>>>>>
>>>>> Can someone help me ?
>>>>>
>>>>> --
>>>>> Regards,
>>>>> Sandeep
>>>>>
>>>>
>>>> ======================================================================
>>>> Andreas Steffen andreas.steffen at strongswan.org
>>>> strongSwan - the Open Source VPN Solution! www.strongswan.org
>>>> Institute for Internet Technologies and Applications
>>>> University of Applied Sciences Rapperswil
>>>> CH-8640 Rapperswil (Switzerland)
>>>> ===========================================================[ITA-HSR]==
>>>>
>>>>
>>>
>>>
>>> --
>>> Regards,
>>> Sandeep
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.strongswan.org
>>> https://lists.strongswan.org/mailman/listinfo/users
>>>
>>
>
>
> --
> Regards,
> Sandeep
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160622/7a235150/attachment.html>
More information about the Users
mailing list