[strongSwan] AH Transport AES-128 GMAC

Gyula Kovács gyula.kovacs.kkb.tech at gmail.com
Sun Nov 6 18:54:37 CET 2016 

Hello,

I'm trying to set up an ikev2/host2host-ah connection according to 
https://www.strongswan.org/testing/testresults/ikev2/host2host-ah/index.html 
page.
The connection is successfully established when I'm using the aesxcbc 
integrity algorithm (as in the example).
See ipsec_listalgs__2.txt, ipsec_status__2.txt and 
ipsec_up_host-host_transport_ah_aesxcbc__2.txt files.

But, according to our customer's requirements, I have to use aes128gmac 
integrity algorithm.
So I changed the "ah=aesxcbc" to "ah=aes128gmac" in the ipsec.conf file.
The connection could not be established with the new setting (see 
ipsec_up_host-host_transport_ah_aes128gmac__2.txt file).

My test environment (both hosts):
- Debian 8.6 VM
- StongSwan 5.5.1 (built as Debian has StrongSwan 5.2.1 by default)

Anybody have an idea what could be wrong?

Best regards,
Gyula Kovacs

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20161106/5e693643/attachment.html>
-------------- next part --------------
root at atm:/etc/ipsec.d/examples# ipsec listalgs

List of registered IKE algorithms:

  encryption: AES_CBC[aes] 3DES_CBC[des] DES_CBC[des] DES_ECB[des] RC2_CBC[rc2] CAMELLIA_CBC[openssl] CAST_CBC[openssl]
              BLOWFISH_CBC[openssl] NULL[openssl]
  integrity:  HMAC_MD5_96[openssl] HMAC_MD5_128[openssl] HMAC_SHA1_96[openssl] HMAC_SHA1_128[openssl]
              HMAC_SHA1_160[openssl] HMAC_SHA2_256_128[openssl] HMAC_SHA2_256_256[openssl] HMAC_SHA2_384_192[openssl]
              HMAC_SHA2_384_384[openssl] HMAC_SHA2_512_256[openssl] HMAC_SHA2_512_512[openssl] CAMELLIA_XCBC_96[xcbc]
              AES_XCBC_96[xcbc] AES_CMAC_96[cmac]
  aead:       AES_GCM_16[openssl] AES_GCM_12[openssl] AES_GCM_8[openssl]
  hasher:     HASH_SHA1[sha1] HASH_SHA224[sha2] HASH_SHA256[sha2] HASH_SHA384[sha2] HASH_SHA512[sha2] HASH_MD5[md5]
              HASH_MD4[openssl]
  prf:        PRF_KEYED_SHA1[sha1] PRF_HMAC_MD5[openssl] PRF_HMAC_SHA1[openssl] PRF_HMAC_SHA2_256[openssl]
              PRF_HMAC_SHA2_384[openssl] PRF_HMAC_SHA2_512[openssl] PRF_FIPS_SHA1_160[fips-prf] PRF_AES128_XCBC[xcbc]
              PRF_CAMELLIA128_XCBC[xcbc] PRF_AES128_CMAC[cmac]
  xof:
  dh-group:   ECP_256[openssl] ECP_384[openssl] ECP_521[openssl] ECP_224[openssl] ECP_192[openssl] ECP_256_BP[openssl]
              ECP_384_BP[openssl] ECP_512_BP[openssl] ECP_224_BP[openssl] MODP_3072[openssl] MODP_4096[openssl]
              MODP_6144[openssl] MODP_8192[openssl] MODP_2048[openssl] MODP_2048_224[openssl] MODP_2048_256[openssl]
              MODP_1536[openssl] MODP_1024[openssl] MODP_1024_160[openssl] MODP_768[openssl] MODP_CUSTOM[openssl]
  random-gen: RNG_WEAK[openssl] RNG_STRONG[random] RNG_TRUE[random]
  nonce-gen:  [nonce]
root at atm:/etc/ipsec.d/examples#
-------------- next part --------------
root at atm:/etc/ipsec.d/examples# ipsec status
Security Associations (1 up, 0 connecting):
   host-host[1]: ESTABLISHED 91 seconds ago, 192.168.1.211[!DELETED-BECAUSE-OF-CONFIDENTIALITY!]...192.168.1.212[!DELETED-BECAUSE-OF-CONFIDENTIALITY!]
   host-host{1}:  INSTALLED, TRANSPORT, reqid 1, AH SPIs: c621bb4b_i c47a8f2e_o
   host-host{1}:   192.168.1.211/32 === 192.168.1.212/32
root at atm:/etc/ipsec.d/examples#
-------------- next part --------------
root at atm:/etc/ipsec.d/examples# ipsec up host-host
initiating IKE_SA host-host[1] to 192.168.1.212
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 192.168.1.211[500] to 192.168.1.212[500] (1156 bytes)
received packet: from 192.168.1.212[500] to 192.168.1.211[500] (657 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
received cert request for "!DELETED-BECAUSE-OF-CONFIDENTIALITY!"
received cert request for "!DELETED-BECAUSE-OF-CONFIDENTIALITY!"
received cert request for "!DELETED-BECAUSE-OF-CONFIDENTIALITY!"
sending cert request for "!DELETED-BECAUSE-OF-CONFIDENTIALITY!"
sending cert request for "!DELETED-BECAUSE-OF-CONFIDENTIALITY!"
sending cert request for "!DELETED-BECAUSE-OF-CONFIDENTIALITY!"
authentication of '!DELETED-BECAUSE-OF-CONFIDENTIALITY!' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful
sending end entity cert "!DELETED-BECAUSE-OF-CONFIDENTIALITY!"
establishing CHILD_SA host-host
generating IKE_AUTH request 1 [ IDi CERT CERTREQ AUTH N(USE_TRANSP) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
splitting IKE message with length of 1920 bytes into 2 fragments
generating IKE_AUTH request 1 [ EF(1/2) ]
generating IKE_AUTH request 1 [ EF(2/2) ]
sending packet: from 192.168.1.211[4500] to 192.168.1.212[4500] (1236 bytes)
sending packet: from 192.168.1.211[4500] to 192.168.1.212[4500] (756 bytes)
received packet: from 192.168.1.212[4500] to 192.168.1.211[4500] (1236 bytes)
parsed IKE_AUTH response 1 [ EF(1/2) ]
received fragment #1 of 2, waiting for complete IKE message
received packet: from 192.168.1.212[4500] to 192.168.1.211[4500] (548 bytes)
parsed IKE_AUTH response 1 [ EF(2/2) ]
received fragment #2 of 2, reassembling fragmented IKE message
parsed IKE_AUTH response 1 [ IDr CERT AUTH N(AUTH_LFT) N(MOBIKE_SUP) N(NO_ADD_ADDR) N(NO_PROP) ]
received end entity cert "!DELETED-BECAUSE-OF-CONFIDENTIALITY!"
  using certificate "!DELETED-BECAUSE-OF-CONFIDENTIALITY!"
  using trusted intermediate ca certificate "!DELETED-BECAUSE-OF-CONFIDENTIALITY!"
checking certificate status of "!DELETED-BECAUSE-OF-CONFIDENTIALITY!"
  fetching crl from '!DELETED-BECAUSE-OF-CONFIDENTIALITY!' ...
libcurl request failed [6]: Could not resolve host: !DELETED-BECAUSE-OF-CONFIDENTIALITY!
crl fetching failed
certificate status is not available
  using trusted intermediate ca certificate "!DELETED-BECAUSE-OF-CONFIDENTIALITY!"
checking certificate status of "!DELETED-BECAUSE-OF-CONFIDENTIALITY!"
  fetching crl from '!DELETED-BECAUSE-OF-CONFIDENTIALITY!' ...
libcurl request failed [6]: Could not resolve host: !DELETED-BECAUSE-OF-CONFIDENTIALITY!
crl fetching failed
certificate status is not available
  using trusted ca certificate "!DELETED-BECAUSE-OF-CONFIDENTIALITY!"
checking certificate status of "!DELETED-BECAUSE-OF-CONFIDENTIALITY!"
  fetching crl from '!DELETED-BECAUSE-OF-CONFIDENTIALITY!' ...
libcurl request failed [6]: Could not resolve host: !DELETED-BECAUSE-OF-CONFIDENTIALITY!
crl fetching failed
certificate status is not available
  reached self-signed root ca with a path length of 2
authentication of '!DELETED-BECAUSE-OF-CONFIDENTIALITY!' with RSA_EMSA_PKCS1_SHA2_256 successful
IKE_SA host-host[1] established between 192.168.1.211[!DELETED-BECAUSE-OF-CONFIDENTIALITY!]...192.168.1.212[!DELETED-BECAUSE-OF-CONFIDENTIALITY!]
scheduling reauthentication in 9967s
maximum IKE_SA lifetime 10507s
received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
failed to establish CHILD_SA, keeping IKE_SA
received AUTH_LIFETIME of 10183s, scheduling reauthentication in 9643s
peer supports MOBIKE
establishing connection 'host-host' failed
root at atm:/etc/ipsec.d/examples#
-------------- next part --------------
root at atm:/etc/ipsec.d/examples# ipsec up host-host
initiating IKE_SA host-host[1] to 192.168.1.212
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 192.168.1.211[500] to 192.168.1.212[500] (1156 bytes)
received packet: from 192.168.1.212[500] to 192.168.1.211[500] (657 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
received cert request for "!DELETED-BECAUSE-OF-CONFIDENTIALITY!"
received cert request for "!DELETED-BECAUSE-OF-CONFIDENTIALITY!"
received cert request for "!DELETED-BECAUSE-OF-CONFIDENTIALITY!"
sending cert request for "!DELETED-BECAUSE-OF-CONFIDENTIALITY!"
sending cert request for "!DELETED-BECAUSE-OF-CONFIDENTIALITY!"
sending cert request for "!DELETED-BECAUSE-OF-CONFIDENTIALITY!"
authentication of '!DELETED-BECAUSE-OF-CONFIDENTIALITY!' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful
sending end entity cert "!DELETED-BECAUSE-OF-CONFIDENTIALITY!"
establishing CHILD_SA host-host
generating IKE_AUTH request 1 [ IDi CERT CERTREQ AUTH N(USE_TRANSP) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
splitting IKE message with length of 1920 bytes into 2 fragments
generating IKE_AUTH request 1 [ EF(1/2) ]
generating IKE_AUTH request 1 [ EF(2/2) ]
sending packet: from 192.168.1.211[4500] to 192.168.1.212[4500] (1236 bytes)
sending packet: from 192.168.1.211[4500] to 192.168.1.212[4500] (756 bytes)
received packet: from 192.168.1.212[4500] to 192.168.1.211[4500] (1236 bytes)
parsed IKE_AUTH response 1 [ EF(1/2) ]
received fragment #1 of 2, waiting for complete IKE message
received packet: from 192.168.1.212[4500] to 192.168.1.211[4500] (628 bytes)
parsed IKE_AUTH response 1 [ EF(2/2) ]
received fragment #2 of 2, reassembling fragmented IKE message
parsed IKE_AUTH response 1 [ IDr CERT AUTH N(USE_TRANSP) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(NO_ADD_ADDR) ]
received end entity cert "!DELETED-BECAUSE-OF-CONFIDENTIALITY!"
  using certificate "!DELETED-BECAUSE-OF-CONFIDENTIALITY!"
  using trusted intermediate ca certificate "!DELETED-BECAUSE-OF-CONFIDENTIALITY!"
checking certificate status of "!DELETED-BECAUSE-OF-CONFIDENTIALITY!"
  fetching crl from '!DELETED-BECAUSE-OF-CONFIDENTIALITY!' ...
libcurl request failed [6]: Could not resolve host: !DELETED-BECAUSE-OF-CONFIDENTIALITY!
crl fetching failed
certificate status is not available
  using trusted intermediate ca certificate "!DELETED-BECAUSE-OF-CONFIDENTIALITY!"
checking certificate status of "!DELETED-BECAUSE-OF-CONFIDENTIALITY!"
  fetching crl from '!DELETED-BECAUSE-OF-CONFIDENTIALITY!' ...
libcurl request failed [6]: Could not resolve host: !DELETED-BECAUSE-OF-CONFIDENTIALITY!
crl fetching failed
certificate status is not available
  using trusted ca certificate "!DELETED-BECAUSE-OF-CONFIDENTIALITY!"
checking certificate status of "!DELETED-BECAUSE-OF-CONFIDENTIALITY!"
  fetching crl from '!DELETED-BECAUSE-OF-CONFIDENTIALITY!' ...
libcurl request failed [6]: Could not resolve host: !DELETED-BECAUSE-OF-CONFIDENTIALITY!
crl fetching failed
certificate status is not available
  reached self-signed root ca with a path length of 2
authentication of '!DELETED-BECAUSE-OF-CONFIDENTIALITY!' with RSA_EMSA_PKCS1_SHA2_256 successful
IKE_SA host-host[1] established between 192.168.1.211[!DELETED-BECAUSE-OF-CONFIDENTIALITY!]...192.168.1.212[!DELETED-BECAUSE-OF-CONFIDENTIALITY!]
scheduling reauthentication in 10083s
maximum IKE_SA lifetime 10623s
CHILD_SA host-host{1} established with SPIs c621bb4b_i c47a8f2e_o and TS 192.168.1.211/32 === 192.168.1.212/32
connection 'host-host' established successfully
root at atm:/etc/ipsec.d/examples#
-------------- next part --------------
# /etc/ipsec.conf - strongSwan IPsec configuration file

config setup

conn %default
	keyexchange=ikev2

conn host-host
	left=192.168.1.211
	leftcert=atmIpSecCert.pem
	leftid="!DELETED-BECAUSE-OF-CONFIDENTIALITY!"
	leftfirewall=yes
	right=192.168.1.212
	rightid=%any
	type=transport
	ah=aesxcbc
	auto=add

More information about the Users mailing list