[strongSwan] sha256 failing with netlink error
Andreas Steffen
andreas.steffen at strongswan.org
Wed Sep 21 15:05:27 CEST 2016
Hi Lakshmi,
no, IKEv1 does not support SHA2_256_96 for ESP. Since the corresponding
ESP integrity algorithm is in the private identifier range and a
strongSwan Vendor ID is required, you have to use strongSwan on both
IPsec endpoints anyway. Therefore you can always set up the connection
using IKEv2 so that there is no need for the legacy IKEv1 protocol.
If you want to use 96 bit truncation with third party endpoints then the
recommendation is to hack the kernel-netlink interface plugin so that
when ESP SHA2_256 is proposed, strongSwan will use 96 bit instead of
the correct 128 bit truncation. Have a look at the following issue that
was posted a couple of months ago:
https://wiki.strongswan.org/issues/1353
Regards
Andreas
On 21.09.2016 14:16, Lakshmi Prasanna wrote:
> Hi Andreas,
>
> Does IKEv1 support SHA_256_96 for ESP ? I see that strongswan does not
> send out the integrity algorithm when configured as SHA-256_96 for
> IKEv1. However it works for IKEv2.
>
> Thanks,
> Lakshmi
>
>
> On Fri, Aug 12, 2016 at 9:26 AM, Andreas Steffen
> <andreas.steffen at strongswan.org <mailto:andreas.steffen at strongswan.org>>
> wrote:
>
> Hi Lakshmi,
>
> SHA-256 was implemented incorrectly for ESP with a 96 bit instead
> of the standard 128 bit truncation in Linux kernels older than
> 2.6.33.
>
> Workarounds:
>
> 1) Update to a kernel >= 2.6.33 (2.6.21 is ancient!)
>
> 2) If you run strongSwan on both VPN end points you can select the
> incorrect non-standard 96 bit truncation size by configuring
>
> esp=aes128-sha256_96
>
> In order for this non-standard algorithm ID to be accepted it might
> also be necessary to activate the sending of the strongSwan vendor id
> by setting
>
> charon {
> send_vendor_id = yes
> }
>
> in /etc/strongswan.conf
>
> Regards
>
> Andreas
>
>
> On 12.08.2016 03:04, Lakshmi Prasanna wrote:
>
> Experts,
>
> Need urgent help.
>
> When I try to use strongswan with SHA256, I see that the negotiation
> fails at child SA creation time. I am using
> strongSwan 5.1.3, Linux 2.6.21 version). Following is the log:
>
> arsed CREATE_CHILD_SA response 4 [ N(USE_TRANSP) SA No TSi TSr ]
>
> received netlink error: Invalid argument (22)
>
> unable to add SAD entry with SPI c28f19c1
>
> received netlink error: Invalid argument (22)
>
> unable to add SAD entry with SPI c088894f
>
> unable to install inbound and outbound IPsec SA (SAD) in kernel
>
> failed to establish CHILD_SA, keeping IKE_SA
>
> sending DELETE for ESP CHILD_SA with SPI c28f19c1
>
>
> I have already tried the changes mentioned in
> https://lists.strongswan.org/pipermail/users/2013-September/005203.html
> <https://lists.strongswan.org/pipermail/users/2013-September/005203.html>
> and it doesnt seem to work.
>
> Is there any other fix for this issue?
>
> Rgds,
>
> Lakshmi
>
> ======================================================================
> Andreas Steffen
> andreas.steffen at strongswan.org <mailto:andreas.steffen at strongswan.org>
> strongSwan - the Open Source VPN Solution!
> www.strongswan.org <http://www.strongswan.org>
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>
>
--
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4275 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160921/1767a974/attachment.bin>
More information about the Users
mailing list