[strongSwan] sha256 failing with netlink error

Lakshmi Prasanna lakshmi.1147 at gmail.com
Wed Sep 21 14:16:41 CEST 2016 

Hi Andreas,

Does IKEv1 support SHA_256_96 for ESP ? I see that strongswan does not send
out the integrity algorithm when configured as SHA-256_96 for IKEv1.
However it works for IKEv2.

Thanks,
Lakshmi


On Fri, Aug 12, 2016 at 9:26 AM, Andreas Steffen <
andreas.steffen at strongswan.org> wrote:

> Hi Lakshmi,
>
> SHA-256 was implemented incorrectly for ESP with a 96 bit instead
> of the standard 128 bit truncation in Linux kernels older than
> 2.6.33.
>
> Workarounds:
>
> 1) Update to a kernel >= 2.6.33 (2.6.21 is ancient!)
>
> 2) If you run strongSwan on both VPN end points you can select the
>    incorrect non-standard 96 bit truncation size by configuring
>
>    esp=aes128-sha256_96
>
>    In order for this non-standard algorithm ID to be accepted it might
>    also be necessary to activate the sending of the strongSwan vendor id
>    by setting
>
>    charon {
>      send_vendor_id = yes
>    }
>
>    in /etc/strongswan.conf
>
> Regards
>
> Andreas
>
>
> On 12.08.2016 03:04, Lakshmi Prasanna wrote:
>
>> Experts,
>>
>> Need urgent help.
>>
>> When I try to use strongswan with SHA256, I see that the negotiation
>> fails at child SA creation time. I am using
>>     strongSwan 5.1.3, Linux 2.6.21 version). Following is the log:
>>
>> arsed CREATE_CHILD_SA response 4 [ N(USE_TRANSP) SA No TSi TSr ]
>>
>> received netlink error: Invalid argument (22)
>>
>> unable to add SAD entry with SPI c28f19c1
>>
>> received netlink error: Invalid argument (22)
>>
>> unable to add SAD entry with SPI c088894f
>>
>> unable to install inbound and outbound IPsec SA (SAD) in kernel
>>
>> failed to establish CHILD_SA, keeping IKE_SA
>>
>> sending DELETE for ESP CHILD_SA with SPI c28f19c1
>>
>>
>> I have already tried the changes mentioned in
>> https://lists.strongswan.org/pipermail/users/2013-September/005203.html
>> and it doesnt seem to work.
>>
>> Is there any other fix for this issue?
>>
>> Rgds,
>>
>> Lakshmi
>>
>> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Open Source VPN Solution!          www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160921/3137daa9/attachment.html>

More information about the Users mailing list