[strongSwan] aes256gcm12 is not working for me

sandeep dubey sandeep.sanash at gmail.com
Wed Jun 22 07:26:11 CEST 2016 

Hi Kapil,

I am looking into this issue since couple of days and finally decided to
post my query here. The first option (patch for old kernel) i tried but
couldn't find it. How can i find if my kernel has that patch fixed ?

Second option is not workable for us.

On Wed, Jun 22, 2016 at 10:41 AM, Kapil Adhikesavalu <kapil20084 at gmail.com>
wrote:

> Seems you are hitting the Aes-ni 256 bit limitation. You have couple of
> options,
>
> 1. Move to kernel 4.1 or see if patches are available to port it to old
> kernel.
>
> 2. Try removing this kernel module, it might work(may be not) without the
> Aes-ni instructions support. If it works, throughput will be less.
>
> Thanks
> Kapil
> On 22-Jun-2016 8:54 AM, "sandeep dubey" <sandeep.sanash at gmail.com> wrote:
>
>> Thanks Kapil for quick reply.
>>
>> I grep for 'intel_aesni' at /proc/crypto and found below -
>>
>> module       : aesni_intel
>> driver       : crc32c-intel
>>
>> It seems that our EC2 instance is on that kernel.
>>
>> On Wed, Jun 22, 2016 at 8:42 AM, Kapil Adhikesavalu <kapil20084 at gmail.com
>> > wrote:
>>
>>> Hi Sandeep,
>>>
>>> Are you by any chance using intel_aesni klm (check /proc/crypto) ? If
>>> so, aesgcm256 is not supported until kernel 4.1.
>>>
>>> Otherwise you can check the logs to see for any errors.
>>>
>>> Related to GCM256 - https://wiki.strongswan.org/issues/341
>>>
>>> Thanks
>>> Kapil
>>> On 22-Jun-2016 7:12 AM, "sandeep dubey" <sandeep.sanash at gmail.com>
>>> wrote:
>>>
>>>> Hi Andreas,
>>>>
>>>> Thanks for the reply, I tried but it didn't worked for me.
>>>>
>>>> my config -
>>>>
>>>> conn support-node
>>>>         authby=secret
>>>>         auto=start
>>>>         type=tunnel
>>>>         left=172.19.17.23
>>>>         leftid=5.6.7.8
>>>>         leftsubnet=172.19.0.0/16
>>>>         leftauth=psk
>>>>         right=1.2.3.4
>>>>         rightsubnet=10.10.0.0/16
>>>>         rightauth=psk
>>>>         ike=aes256gcm12-modp1536
>>>>         esp=aes256gcm12-modp1536
>>>>
>>>> On Tue, Jun 21, 2016 at 6:53 PM, Andreas Steffen <
>>>> andreas.steffen at strongswan.org> wrote:
>>>>
>>>>> Hi Sandeep,
>>>>>
>>>>> since AES-GCM is an authenticated encryption algorithm
>>>>> no hash algorithm is needed in the esp statement:
>>>>>
>>>>>   esp=aes256gcm12-modp1536
>>>>>
>>>>> Regards
>>>>>
>>>>> Andreas
>>>>>
>>>>>
>>>>> On 21.06.2016 16:27, sandeep dubey wrote:
>>>>>
>>>>>> Hi, s
>>>>>>
>>>>>> I am new to strongswan world and have successfully setup a tunnel
>>>>>> between two AWS's VPC, But i have to make some changes in config to
>>>>>> comply with security requirement which is not working even after
>>>>>> multiple tries. I went through old bug for intel-eni which was fixed
>>>>>> but
>>>>>> couldn't find any way to check and confirm if i have that fix or not.
>>>>>>
>>>>>> Bug ref. - http://wiki.strongswan.org/issues/341
>>>>>> Fix ref. -
>>>>>> https://marc.info/?l=linux-crypto-vger&m=139388786131685&w=2
>>>>>>
>>>>>> The only difference in my working config and not working config is as
>>>>>> below -
>>>>>>
>>>>>> Working with -
>>>>>>          ike=aes128-sha1-modp1024
>>>>>>          esp=aes128-sha1-modp1024
>>>>>>
>>>>>> Not working with -
>>>>>>          ike=aes256gcm12-sha256-modp1536
>>>>>>          esp=aes256gcm12-sha256-modp1536
>>>>>>
>>>>>>
>>>>>> I am using ikev2 on EC2 instance with kernel 3.13.0-85-generic
>>>>>> #129-Ubuntu SMP.
>>>>>>
>>>>>> Can someone help me ?
>>>>>>
>>>>>> --
>>>>>> Regards,
>>>>>> Sandeep
>>>>>>
>>>>>
>>>>> ======================================================================
>>>>> Andreas Steffen                         andreas.steffen at strongswan.org
>>>>> strongSwan - the Open Source VPN Solution!          www.strongswan.org
>>>>> Institute for Internet Technologies and Applications
>>>>> University of Applied Sciences Rapperswil
>>>>> CH-8640 Rapperswil (Switzerland)
>>>>> ===========================================================[ITA-HSR]==
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Regards,
>>>> Sandeep
>>>>
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users at lists.strongswan.org
>>>> https://lists.strongswan.org/mailman/listinfo/users
>>>>
>>>
>>
>>
>> --
>> Regards,
>> Sandeep
>>
>


-- 
Regards,
Sandeep
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160622/d5e66db8/attachment-0001.html>

More information about the Users mailing list