[strongSwan] SHA1 vs SHA256

Andreas Steffen andreas.steffen at strongswan.org
Fri Aug 4 12:48:23 CEST 2017


Hi Dusan,

this is a Linux kernel issue. Which kernel versions are you running
on the two endpoints?.

Regards

Andreas

On 04.08.2017 12:41, Dusan Ilic wrote:
> Hi Noel,
> 
> One side is Strongswan 5.2.2 and the other is 5.5.2.
> How do I switch?
> 
> 
> Den 2017-08-04 kl. 12:25, skrev Noel Kuntze:
>> the remote peer probably uses the DRAFT variant of sha2-256, which
>> uses 96 bit truncation. strongSwan uses the actual standardized
>> variant that truncates to 128 bit.
>> You can switch between the two in the newest version of strongSwan
>>
>> On 04.08.2017 12:23, Dusan Ilic wrote:
>>> Hello!
>>>
>>> I have a strange issue, with both settings below the tunnel goes up
>>> as it should, but only with SHA1 in ESP traffic goes through. When I
>>> ping the remote client with ESP SHA256 it times out, even though the
>>> tunnel reports as being up by Strongswan.
>>>
>>> Traffic working:
>>>
>>> ike=aes256-sha256-modp2048!
>>> esp=aes128-sha1-modp2048!
>>>
>>> Traffic not working:
>>>
>>> ike=aes256-sha256-modp2048!
>>> esp=aes256-sha256-modp2048!
>>>
>>> Below combo doesn't work either:
>>>
>>> ike=aes256-sha256-modp2048!
>>> esp=aes128-sha256-modp2048!
>>>
>>>
>>> Also, are above settings good? I'm having AES128 on ESP because with
>>> AES256 I loose too much througput. Do you have any suggestions for
>>> change?
>>>
>>>
> 

-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Networked Solutions
HSR University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[INS-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3859 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170804/bcee5bf8/attachment.bin>


More information about the Users mailing list