[strongSwan] SHA1 vs SHA256

Dusan Ilic dusan at comhem.se
Fri Aug 4 16:41:36 CEST 2017


Hi Andreas

One side is 2.6.36 and the other 3.10.20


Den 2017-08-04 kl. 12:48, skrev Andreas Steffen:
> Hi Dusan,
>
> this is a Linux kernel issue. Which kernel versions are you running
> on the two endpoints?.
>
> Regards
>
> Andreas
>
> On 04.08.2017 12:41, Dusan Ilic wrote:
>> Hi Noel,
>>
>> One side is Strongswan 5.2.2 and the other is 5.5.2.
>> How do I switch?
>>
>>
>> Den 2017-08-04 kl. 12:25, skrev Noel Kuntze:
>>> the remote peer probably uses the DRAFT variant of sha2-256, which
>>> uses 96 bit truncation. strongSwan uses the actual standardized
>>> variant that truncates to 128 bit.
>>> You can switch between the two in the newest version of strongSwan
>>>
>>> On 04.08.2017 12:23, Dusan Ilic wrote:
>>>> Hello!
>>>>
>>>> I have a strange issue, with both settings below the tunnel goes up
>>>> as it should, but only with SHA1 in ESP traffic goes through. When I
>>>> ping the remote client with ESP SHA256 it times out, even though the
>>>> tunnel reports as being up by Strongswan.
>>>>
>>>> Traffic working:
>>>>
>>>> ike=aes256-sha256-modp2048!
>>>> esp=aes128-sha1-modp2048!
>>>>
>>>> Traffic not working:
>>>>
>>>> ike=aes256-sha256-modp2048!
>>>> esp=aes256-sha256-modp2048!
>>>>
>>>> Below combo doesn't work either:
>>>>
>>>> ike=aes256-sha256-modp2048!
>>>> esp=aes128-sha256-modp2048!
>>>>
>>>>
>>>> Also, are above settings good? I'm having AES128 on ESP because with
>>>> AES256 I loose too much througput. Do you have any suggestions for
>>>> change?
>>>>
>>>>



More information about the Users mailing list