[strongSwan] AH Transport AES CMAC PSK

Andreas Steffen andreas.steffen at strongswan.org
Sun Nov 27 15:20:41 CET 2016

Hi Gyula,

the Linux kernel does not support AES_CMAC but strongSwan has IKE
support via the cmac plugin which is enabled by default.



On 27.11.2016 14:46, Gyula Kovács wrote:
> Hello,
> I tried to set up an ikev2/host2host-ah connectionwith pre-shared key.
> The connection failed, when choosing aescmac as integrity algorithm.
> The connection was successfully built up when choosing aesxcbc integrity
> algorithm.
> I tried this scenario on two Debian 8.6 VMs (kernel 3.16.0-4-586 with
> CONFIG_CRYPTO_CMAC=m option set) with the latest StrongSwan (v5.5.1).
> I checked the log files, and found "algorithm AES_CMAC_96 not supported
> by kernel!" message.
> Additionally, I found that AES-CMAC-96 is not supported by StrongSwan
> (https://wiki.strongswan.org/projects/strongswan/wiki/IpsecStandards).
> From where comes this limitation?
> Does it come from StrongSwan implementation or from Linux kernel (as
> suggested by the error message)?
> Does anybody have ideas?
> Best regards,
> Gyula Kovacs
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3859 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20161127/5d4f9b35/attachment-0001.bin>

More information about the Users mailing list