[strongSwan] sha256 failing with netlink error
Lakshmi Prasanna
lakshmi.1147 at gmail.com
Wed Sep 21 15:19:11 CEST 2016
Thanks a lot for the quick reply Andreas.
Rgds,
Lakshmi
On Wed, Sep 21, 2016 at 6:35 PM, Andreas Steffen <
andreas.steffen at strongswan.org> wrote:
> Hi Lakshmi,
>
> no, IKEv1 does not support SHA2_256_96 for ESP. Since the corresponding
> ESP integrity algorithm is in the private identifier range and a
> strongSwan Vendor ID is required, you have to use strongSwan on both
> IPsec endpoints anyway. Therefore you can always set up the connection
> using IKEv2 so that there is no need for the legacy IKEv1 protocol.
>
> If you want to use 96 bit truncation with third party endpoints then the
> recommendation is to hack the kernel-netlink interface plugin so that
> when ESP SHA2_256 is proposed, strongSwan will use 96 bit instead of
> the correct 128 bit truncation. Have a look at the following issue that
> was posted a couple of months ago:
>
> https://wiki.strongswan.org/issues/1353
>
> Regards
>
> Andreas
>
> On 21.09.2016 14:16, Lakshmi Prasanna wrote:
> > Hi Andreas,
> >
> > Does IKEv1 support SHA_256_96 for ESP ? I see that strongswan does not
> > send out the integrity algorithm when configured as SHA-256_96 for
> > IKEv1. However it works for IKEv2.
> >
> > Thanks,
> > Lakshmi
> >
> >
> > On Fri, Aug 12, 2016 at 9:26 AM, Andreas Steffen
> > <andreas.steffen at strongswan.org <mailto:andreas.steffen at strongswan.org>>
> > wrote:
> >
> > Hi Lakshmi,
> >
> > SHA-256 was implemented incorrectly for ESP with a 96 bit instead
> > of the standard 128 bit truncation in Linux kernels older than
> > 2.6.33.
> >
> > Workarounds:
> >
> > 1) Update to a kernel >= 2.6.33 (2.6.21 is ancient!)
> >
> > 2) If you run strongSwan on both VPN end points you can select the
> > incorrect non-standard 96 bit truncation size by configuring
> >
> > esp=aes128-sha256_96
> >
> > In order for this non-standard algorithm ID to be accepted it
> might
> > also be necessary to activate the sending of the strongSwan
> vendor id
> > by setting
> >
> > charon {
> > send_vendor_id = yes
> > }
> >
> > in /etc/strongswan.conf
> >
> > Regards
> >
> > Andreas
> >
> >
> > On 12.08.2016 03:04, Lakshmi Prasanna wrote:
> >
> > Experts,
> >
> > Need urgent help.
> >
> > When I try to use strongswan with SHA256, I see that the
> negotiation
> > fails at child SA creation time. I am using
> > strongSwan 5.1.3, Linux 2.6.21 version). Following is the
> log:
> >
> > arsed CREATE_CHILD_SA response 4 [ N(USE_TRANSP) SA No TSi TSr ]
> >
> > received netlink error: Invalid argument (22)
> >
> > unable to add SAD entry with SPI c28f19c1
> >
> > received netlink error: Invalid argument (22)
> >
> > unable to add SAD entry with SPI c088894f
> >
> > unable to install inbound and outbound IPsec SA (SAD) in kernel
> >
> > failed to establish CHILD_SA, keeping IKE_SA
> >
> > sending DELETE for ESP CHILD_SA with SPI c28f19c1
> >
> >
> > I have already tried the changes mentioned in
> > https://lists.strongswan.org/pipermail/users/2013-
> September/005203.html
> > <https://lists.strongswan.org/pipermail/users/2013-
> September/005203.html>
> > and it doesnt seem to work.
> >
> > Is there any other fix for this issue?
> >
> > Rgds,
> >
> > Lakshmi
> >
> > ============================================================
> ==========
> > Andreas Steffen
> > andreas.steffen at strongswan.org <mailto:andreas.steffen@
> strongswan.org>
> > strongSwan - the Open Source VPN Solution!
> > www.strongswan.org <http://www.strongswan.org>
> > Institute for Internet Technologies and Applications
> > University of Applied Sciences Rapperswil
> > CH-8640 Rapperswil (Switzerland)
> > ===========================================================[
> ITA-HSR]==
> >
> >
>
> --
> ======================================================================
> Andreas Steffen andreas.steffen at strongswan.org
> strongSwan - the Open Source VPN Solution! www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160921/026e4fc1/attachment.html>
More information about the Users
mailing list