[strongSwan] AH Transport AES CMAC PSK

Gyula Kovács gyula.kovacs.kkb.tech at gmail.com
Sun Nov 27 14:46:46 CET 2016


Hello,

I tried to set up an ikev2/host2host-ah connectionwith pre-shared key.
The connection failed, when choosing aescmac as integrity algorithm.
The connection was successfully built up when choosing aesxcbc integrity 
algorithm.
I tried this scenario on two Debian 8.6 VMs (kernel 3.16.0-4-586 with 
CONFIG_CRYPTO_CMAC=m option set) with the latest StrongSwan (v5.5.1).
I checked the log files, and found "algorithm AES_CMAC_96 not supported 
by kernel!" message.
Additionally, I found that AES-CMAC-96 is not supported by StrongSwan 
(https://wiki.strongswan.org/projects/strongswan/wiki/IpsecStandards).

 From where comes this limitation?
Does it come from StrongSwan implementation or from Linux kernel (as 
suggested by the error message)?
Does anybody have ideas?

Best regards,
Gyula Kovacs

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20161127/31b26a00/attachment.html>
-------------- next part --------------
# /etc/ipsec.conf - strongSwan IPsec configuration file

config setup

conn %default
	ikelifetime=25m
	keylife=10m
	rekeymargin=3m
	keyingtries=%forever
	keyexchange=ikev2
	authby=secret

conn host-host
	left=192.168.1.211
	leftfirewall=yes
	right=192.168.1.212
	type=transport
	# ah=aesxcbc!
	ah=aescmac
	auto=start
	closeaction=hold
	dpdaction=hold
-------------- next part --------------
# /etc/ipsec.conf - strongSwan IPsec configuration file

config setup

conn %default
	ikelifetime=25m
	keylife=10m
	rekeymargin=3m
	keyingtries=%forever
	keyexchange=ikev2
	authby=secret

conn host-host
	left=192.168.1.212
	leftfirewall=yes
	right=192.168.1.211
	type=transport
	# ah=aesxcbc!
	ah=aescmac
	auto=start
	closeaction=hold
	dpdaction=hold
-------------- next part --------------
Nov 27 11:11:08 mgu charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.5.1, Linux 3.16.0-4-586, i686)
Nov 27 11:11:08 mgu charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Nov 27 11:11:08 mgu charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Nov 27 11:11:08 mgu charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Nov 27 11:11:08 mgu charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Nov 27 11:11:08 mgu charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Nov 27 11:11:08 mgu charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Nov 27 11:11:08 mgu charon: 00[CFG] loading secrets from '/var/lib/strongswan/ipsec.secrets.inc'
Nov 27 11:11:08 mgu charon: 00[CFG] loading secrets from '/etc/ipsec.d/examples/ipsec.secrets.mgu'
Nov 27 11:11:08 mgu charon: 00[CFG]   loaded IKE secret for %any
Nov 27 11:11:08 mgu charon: 00[LIB] loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc cmac hmac gcm curl sqlite attr kernel-netlink resolve socket-default stroke vici updown xauth-generic
Nov 27 11:11:08 mgu charon: 00[JOB] spawning 16 worker threads
Nov 27 11:11:08 mgu charon: 05[CFG] received stroke: add connection 'host-host'
Nov 27 11:11:08 mgu charon: 05[CFG] added configuration 'host-host'
Nov 27 11:11:08 mgu charon: 09[CFG] received stroke: initiate 'host-host'
Nov 27 11:11:08 mgu charon: 09[IKE] initiating IKE_SA host-host[1] to 192.168.1.211
Nov 27 11:11:08 mgu charon: 09[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Nov 27 11:11:08 mgu charon: 09[NET] sending packet: from 192.168.1.212[500] to 192.168.1.211[500] (1156 bytes)
Nov 27 11:11:09 mgu charon: 15[NET] received packet: from 192.168.1.211[500] to 192.168.1.212[500] (592 bytes)
Nov 27 11:11:09 mgu charon: 15[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Nov 27 11:11:09 mgu charon: 15[IKE] authentication of '192.168.1.212' (myself) with pre-shared key
Nov 27 11:11:09 mgu charon: 15[IKE] establishing CHILD_SA host-host
Nov 27 11:11:09 mgu charon: 15[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(USE_TRANSP) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Nov 27 11:11:09 mgu charon: 15[NET] sending packet: from 192.168.1.212[4500] to 192.168.1.211[4500] (336 bytes)
Nov 27 11:11:09 mgu charon: 11[NET] received packet: from 192.168.1.211[4500] to 192.168.1.212[4500] (160 bytes)
Nov 27 11:11:09 mgu charon: 11[ENC] parsed IKE_AUTH response 1 [ IDr AUTH N(AUTH_LFT) N(MOBIKE_SUP) N(NO_ADD_ADDR) N(NO_PROP) ]
Nov 27 11:11:09 mgu charon: 11[IKE] authentication of '192.168.1.211' with pre-shared key successful
Nov 27 11:11:09 mgu charon: 11[IKE] IKE_SA host-host[1] established between 192.168.1.212[192.168.1.212]...192.168.1.211[192.168.1.211]
Nov 27 11:11:09 mgu charon: 11[IKE] scheduling reauthentication in 1300s
Nov 27 11:11:09 mgu charon: 11[IKE] maximum IKE_SA lifetime 1480s
Nov 27 11:11:09 mgu charon: 11[IKE] received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
Nov 27 11:11:09 mgu charon: 11[IKE] failed to establish CHILD_SA, keeping IKE_SA
Nov 27 11:11:09 mgu charon: 11[IKE] received AUTH_LIFETIME of 1158s, scheduling reauthentication in 978s
Nov 27 11:11:09 mgu charon: 11[IKE] peer supports MOBIKE
Nov 27 11:11:14 mgu charon: 12[NET] received packet: from 192.168.1.211[500] to 192.168.1.212[500] (1156 bytes)
Nov 27 11:11:14 mgu charon: 12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Nov 27 11:11:14 mgu charon: 12[IKE] 192.168.1.211 is initiating an IKE_SA
Nov 27 11:11:14 mgu charon: 12[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Nov 27 11:11:14 mgu charon: 12[NET] sending packet: from 192.168.1.212[500] to 192.168.1.211[500] (592 bytes)
Nov 27 11:11:14 mgu charon: 05[NET] received packet: from 192.168.1.211[4500] to 192.168.1.212[4500] (320 bytes)
Nov 27 11:11:14 mgu charon: 05[ENC] parsed IKE_AUTH request 1 [ IDi IDr AUTH N(USE_TRANSP) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Nov 27 11:11:14 mgu charon: 05[CFG] looking for peer configs matching 192.168.1.212[192.168.1.212]...192.168.1.211[192.168.1.211]
Nov 27 11:11:14 mgu charon: 05[CFG] selected peer config 'host-host'
Nov 27 11:11:14 mgu charon: 05[IKE] authentication of '192.168.1.211' with pre-shared key successful
Nov 27 11:11:14 mgu charon: 05[IKE] peer supports MOBIKE
Nov 27 11:11:14 mgu charon: 05[IKE] authentication of '192.168.1.212' (myself) with pre-shared key
Nov 27 11:11:14 mgu charon: 05[IKE] IKE_SA host-host[2] established between 192.168.1.212[192.168.1.212]...192.168.1.211[192.168.1.211]
Nov 27 11:11:14 mgu charon: 05[IKE] scheduling reauthentication in 1318s
Nov 27 11:11:14 mgu charon: 05[IKE] maximum IKE_SA lifetime 1498s
Nov 27 11:11:14 mgu charon: 05[KNL] algorithm AES_CMAC_96 not supported by kernel!
Nov 27 11:11:14 mgu charon: 05[KNL] algorithm AES_CMAC_96 not supported by kernel!
Nov 27 11:11:14 mgu charon: 05[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel
Nov 27 11:11:14 mgu charon: 05[IKE] failed to establish CHILD_SA, keeping IKE_SA
Nov 27 11:11:14 mgu charon: 05[ENC] generating IKE_AUTH response 1 [ IDr AUTH N(AUTH_LFT) N(MOBIKE_SUP) N(NO_ADD_ADDR) N(NO_PROP) ]
Nov 27 11:11:14 mgu charon: 05[NET] sending packet: from 192.168.1.212[4500] to 192.168.1.211[4500] (160 bytes)
Nov 27 11:11:15 mgu charon: 13[NET] received packet: from 192.168.1.211[4500] to 192.168.1.212[4500] (272 bytes)
Nov 27 11:11:15 mgu charon: 13[ENC] parsed CREATE_CHILD_SA request 0 [ N(USE_TRANSP) SA No TSi TSr ]
Nov 27 11:11:15 mgu charon: 13[KNL] algorithm AES_CMAC_96 not supported by kernel!
Nov 27 11:11:15 mgu charon: 13[KNL] algorithm AES_CMAC_96 not supported by kernel!
Nov 27 11:11:15 mgu charon: 13[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel
Nov 27 11:11:15 mgu charon: 13[IKE] failed to establish CHILD_SA, keeping IKE_SA
Nov 27 11:11:15 mgu charon: 13[ENC] generating CREATE_CHILD_SA response 0 [ N(NO_PROP) ]
Nov 27 11:11:15 mgu charon: 13[NET] sending packet: from 192.168.1.212[4500] to 192.168.1.211[4500] (80 bytes)
Nov 27 11:11:24 mgu charon: 11[IKE] deleting IKE_SA host-host[1] between 192.168.1.212[192.168.1.212]...192.168.1.211[192.168.1.211]
Nov 27 11:11:24 mgu charon: 11[IKE] sending DELETE for IKE_SA host-host[1]
Nov 27 11:11:24 mgu charon: 11[ENC] generating INFORMATIONAL request 2 [ D ]
Nov 27 11:11:24 mgu charon: 11[NET] sending packet: from 192.168.1.212[4500] to 192.168.1.211[4500] (80 bytes)
Nov 27 11:11:24 mgu charon: 09[NET] received packet: from 192.168.1.211[4500] to 192.168.1.212[4500] (80 bytes)
Nov 27 11:11:24 mgu charon: 09[ENC] parsed INFORMATIONAL response 2 [ ]
Nov 27 11:11:24 mgu charon: 09[IKE] IKE_SA deleted
root at mgu:/etc/ipsec.d/examples#
-------------- next part --------------
Nov 27 11:11:02 atm charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.5.1, Linux 3.16.0-4-586, i686)
Nov 27 11:11:02 atm charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Nov 27 11:11:02 atm charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Nov 27 11:11:02 atm charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Nov 27 11:11:02 atm charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Nov 27 11:11:02 atm charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Nov 27 11:11:02 atm charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Nov 27 11:11:02 atm charon: 00[CFG] loading secrets from '/var/lib/strongswan/ipsec.secrets.inc'
Nov 27 11:11:02 atm charon: 00[CFG] loading secrets from '/etc/ipsec.d/examples/ipsec.secrets.atm'
Nov 27 11:11:02 atm charon: 00[CFG]   loaded IKE secret for %any
Nov 27 11:11:02 atm charon: 00[LIB] loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc cmac hmac gcm curl sqlite attr kernel-netlink resolve socket-default stroke vici updown xauth-generic
Nov 27 11:11:02 atm charon: 00[JOB] spawning 16 worker threads
Nov 27 11:11:02 atm charon: 05[CFG] received stroke: add connection 'host-host'
Nov 27 11:11:02 atm charon: 05[CFG] added configuration 'host-host'
Nov 27 11:11:02 atm charon: 06[CFG] received stroke: initiate 'host-host'
Nov 27 11:11:02 atm charon: 06[IKE] initiating IKE_SA host-host[1] to 192.168.1.212
Nov 27 11:11:03 atm charon: 06[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Nov 27 11:11:03 atm charon: 06[NET] sending packet: from 192.168.1.211[500] to 192.168.1.212[500] (1156 bytes)
Nov 27 11:11:07 atm charon: 15[IKE] retransmit 1 of request with message ID 0
Nov 27 11:11:07 atm charon: 15[NET] sending packet: from 192.168.1.211[500] to 192.168.1.212[500] (1156 bytes)
Nov 27 11:11:08 atm charon: 08[NET] received packet: from 192.168.1.212[500] to 192.168.1.211[500] (1156 bytes)
Nov 27 11:11:08 atm charon: 08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Nov 27 11:11:08 atm charon: 08[IKE] 192.168.1.212 is initiating an IKE_SA
Nov 27 11:11:09 atm charon: 08[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Nov 27 11:11:09 atm charon: 08[NET] sending packet: from 192.168.1.211[500] to 192.168.1.212[500] (592 bytes)
Nov 27 11:11:09 atm charon: 13[NET] received packet: from 192.168.1.212[4500] to 192.168.1.211[4500] (336 bytes)
Nov 27 11:11:09 atm charon: 13[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(USE_TRANSP) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Nov 27 11:11:09 atm charon: 13[CFG] looking for peer configs matching 192.168.1.211[192.168.1.211]...192.168.1.212[192.168.1.212]
Nov 27 11:11:09 atm charon: 13[CFG] selected peer config 'host-host'
Nov 27 11:11:09 atm charon: 13[IKE] authentication of '192.168.1.212' with pre-shared key successful
Nov 27 11:11:09 atm charon: 13[IKE] peer supports MOBIKE
Nov 27 11:11:09 atm charon: 13[IKE] authentication of '192.168.1.211' (myself) with pre-shared key
Nov 27 11:11:09 atm charon: 13[IKE] IKE_SA host-host[2] established between 192.168.1.211[192.168.1.211]...192.168.1.212[192.168.1.212]
Nov 27 11:11:09 atm charon: 13[IKE] scheduling reauthentication in 1158s
Nov 27 11:11:09 atm charon: 13[IKE] maximum IKE_SA lifetime 1338s
Nov 27 11:11:09 atm charon: 13[KNL] algorithm AES_CMAC_96 not supported by kernel!
Nov 27 11:11:09 atm charon: 13[KNL] algorithm AES_CMAC_96 not supported by kernel!
Nov 27 11:11:09 atm charon: 13[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel
Nov 27 11:11:09 atm charon: 13[IKE] failed to establish CHILD_SA, keeping IKE_SA
Nov 27 11:11:09 atm charon: 13[ENC] generating IKE_AUTH response 1 [ IDr AUTH N(AUTH_LFT) N(MOBIKE_SUP) N(NO_ADD_ADDR) N(NO_PROP) ]
Nov 27 11:11:09 atm charon: 13[NET] sending packet: from 192.168.1.211[4500] to 192.168.1.212[4500] (160 bytes)
Nov 27 11:11:14 atm charon: 09[IKE] retransmit 2 of request with message ID 0
Nov 27 11:11:14 atm charon: 09[NET] sending packet: from 192.168.1.211[500] to 192.168.1.212[500] (1156 bytes)
Nov 27 11:11:14 atm charon: 12[NET] received packet: from 192.168.1.212[500] to 192.168.1.211[500] (592 bytes)
Nov 27 11:11:14 atm charon: 12[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Nov 27 11:11:14 atm charon: 12[IKE] authentication of '192.168.1.211' (myself) with pre-shared key
Nov 27 11:11:14 atm charon: 12[IKE] establishing CHILD_SA host-host
Nov 27 11:11:14 atm charon: 12[ENC] generating IKE_AUTH request 1 [ IDi IDr AUTH N(USE_TRANSP) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Nov 27 11:11:14 atm charon: 12[NET] sending packet: from 192.168.1.211[4500] to 192.168.1.212[4500] (320 bytes)
Nov 27 11:11:14 atm charon: 13[NET] received packet: from 192.168.1.212[4500] to 192.168.1.211[4500] (160 bytes)
Nov 27 11:11:14 atm charon: 13[ENC] parsed IKE_AUTH response 1 [ IDr AUTH N(AUTH_LFT) N(MOBIKE_SUP) N(NO_ADD_ADDR) N(NO_PROP) ]
Nov 27 11:11:14 atm charon: 13[IKE] authentication of '192.168.1.212' with pre-shared key successful
Nov 27 11:11:14 atm charon: 13[IKE] IKE_SA host-host[1] established between 192.168.1.211[192.168.1.211]...192.168.1.212[192.168.1.212]
Nov 27 11:11:14 atm charon: 13[IKE] scheduling reauthentication in 1289s
Nov 27 11:11:14 atm charon: 13[IKE] maximum IKE_SA lifetime 1469s
Nov 27 11:11:14 atm charon: 13[IKE] received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
Nov 27 11:11:14 atm charon: 13[IKE] failed to establish CHILD_SA, keeping IKE_SA
Nov 27 11:11:14 atm charon: 13[IKE] received AUTH_LIFETIME of 1318s, scheduling reauthentication in 1138s
Nov 27 11:11:14 atm charon: 13[IKE] peer supports MOBIKE
Nov 27 11:11:15 atm charon: 12[CFG] received stroke: initiate 'host-host'
Nov 27 11:11:15 atm charon: 08[IKE] establishing CHILD_SA host-host
Nov 27 11:11:15 atm charon: 08[ENC] generating CREATE_CHILD_SA request 0 [ N(USE_TRANSP) SA No TSi TSr ]
Nov 27 11:11:15 atm charon: 08[NET] sending packet: from 192.168.1.211[4500] to 192.168.1.212[4500] (272 bytes)
Nov 27 11:11:15 atm charon: 06[NET] received packet: from 192.168.1.212[4500] to 192.168.1.211[4500] (80 bytes)
Nov 27 11:11:15 atm charon: 06[ENC] parsed CREATE_CHILD_SA response 0 [ N(NO_PROP) ]
Nov 27 11:11:15 atm charon: 06[IKE] received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
Nov 27 11:11:15 atm charon: 06[IKE] failed to establish CHILD_SA, keeping IKE_SA
Nov 27 11:11:24 atm charon: 09[NET] received packet: from 192.168.1.212[4500] to 192.168.1.211[4500] (80 bytes)
Nov 27 11:11:24 atm charon: 09[ENC] parsed INFORMATIONAL request 2 [ D ]
Nov 27 11:11:24 atm charon: 09[IKE] received DELETE for IKE_SA host-host[2]
Nov 27 11:11:24 atm charon: 09[IKE] deleting IKE_SA host-host[2] between 192.168.1.211[192.168.1.211]...192.168.1.212[192.168.1.212]
Nov 27 11:11:24 atm charon: 09[IKE] IKE_SA deleted
Nov 27 11:11:24 atm charon: 09[ENC] generating INFORMATIONAL response 2 [ ]
Nov 27 11:11:24 atm charon: 09[NET] sending packet: from 192.168.1.211[4500] to 192.168.1.212[4500] (80 bytes)
root at atm:/etc/ipsec.d/examples#
-------------- next part --------------
root at atm:/etc/ipsec.d/examples# ipsec listalgs

List of registered IKE algorithms:

  encryption: AES_CBC[aes] 3DES_CBC[des] DES_CBC[des] DES_ECB[des] RC2_CBC[rc2] CAMELLIA_CBC[openssl] CAST_CBC[openssl]
              BLOWFISH_CBC[openssl] NULL[openssl]
  integrity:  HMAC_MD5_96[openssl] HMAC_MD5_128[openssl] HMAC_SHA1_96[openssl] HMAC_SHA1_128[openssl]
              HMAC_SHA1_160[openssl] HMAC_SHA2_256_128[openssl] HMAC_SHA2_256_256[openssl] HMAC_SHA2_384_192[openssl]
              HMAC_SHA2_384_384[openssl] HMAC_SHA2_512_256[openssl] HMAC_SHA2_512_512[openssl] CAMELLIA_XCBC_96[xcbc]
              AES_XCBC_96[xcbc] AES_CMAC_96[cmac]
  aead:       AES_GCM_16[openssl] AES_GCM_12[openssl] AES_GCM_8[openssl]
  hasher:     HASH_SHA1[sha1] HASH_SHA224[sha2] HASH_SHA256[sha2] HASH_SHA384[sha2] HASH_SHA512[sha2] HASH_MD5[md5]
              HASH_MD4[openssl]
  prf:        PRF_KEYED_SHA1[sha1] PRF_HMAC_MD5[openssl] PRF_HMAC_SHA1[openssl] PRF_HMAC_SHA2_256[openssl]
              PRF_HMAC_SHA2_384[openssl] PRF_HMAC_SHA2_512[openssl] PRF_FIPS_SHA1_160[fips-prf] PRF_AES128_XCBC[xcbc]
              PRF_CAMELLIA128_XCBC[xcbc] PRF_AES128_CMAC[cmac]
  xof:
  dh-group:   ECP_256[openssl] ECP_384[openssl] ECP_521[openssl] ECP_224[openssl] ECP_192[openssl] ECP_256_BP[openssl]
              ECP_384_BP[openssl] ECP_512_BP[openssl] ECP_224_BP[openssl] MODP_3072[openssl] MODP_4096[openssl]
              MODP_6144[openssl] MODP_8192[openssl] MODP_2048[openssl] MODP_2048_224[openssl] MODP_2048_256[openssl]
              MODP_1536[openssl] MODP_1024[openssl] MODP_1024_160[openssl] MODP_768[openssl] MODP_CUSTOM[openssl]
  random-gen: RNG_WEAK[openssl] RNG_STRONG[random] RNG_TRUE[random]
  nonce-gen:  [nonce]
root at atm:/etc/ipsec.d/examples#


More information about the Users mailing list