[strongSwan] SHA1 vs SHA256

Dusan Ilic dusan at comhem.se
Fri Aug 4 20:46:43 CEST 2017 

Hi,

Unfortunately, I'm not following you guys :)
Could someone please clarify?


Den 2017-08-04 kl. 19:04, skrev Noel Kuntze:
> Hi,
>
> IIRC pfkey still uses the old truncation (It's mentioned in some relatively recent ticket).
> Try using kernel-netlink instead.
>
> Kind regards
>
> Noel
>
>
> On 04.08.2017 19:02, Andreas Steffen wrote:
>> Hi Dusan,
>>
>> hmmm, our documentation says that the correct ESP SHA256_128 HMAC
>> truncation was introduced with the 2.6.33 kernel but your kernel
>> might not be a vanilla 2.6.36 kernel:
>>
>>   https://wiki.strongswan.org/projects/strongswan/wiki/IKEv2CipherSuites
>>
>>   (ESP integrity algorithm footnote n)
>>
>> Regards
>>
>> Andreas
>>
>> On 04.08.2017 16:41, Dusan Ilic wrote:
>>> Hi Andreas
>>>
>>> One side is 2.6.36 and the other 3.10.20
>>>
>>>
>>> Den 2017-08-04 kl. 12:48, skrev Andreas Steffen:
>>>> Hi Dusan,
>>>>
>>>> this is a Linux kernel issue. Which kernel versions are you running
>>>> on the two endpoints?.
>>>>
>>>> Regards
>>>>
>>>> Andreas
>>>>
>>>> On 04.08.2017 12:41, Dusan Ilic wrote:
>>>>> Hi Noel,
>>>>>
>>>>> One side is Strongswan 5.2.2 and the other is 5.5.2.
>>>>> How do I switch?
>>>>>
>>>>>
>>>>> Den 2017-08-04 kl. 12:25, skrev Noel Kuntze:
>>>>>> the remote peer probably uses the DRAFT variant of sha2-256, which
>>>>>> uses 96 bit truncation. strongSwan uses the actual standardized
>>>>>> variant that truncates to 128 bit.
>>>>>> You can switch between the two in the newest version of strongSwan
>>>>>>
>>>>>> On 04.08.2017 12:23, Dusan Ilic wrote:
>>>>>>> Hello!
>>>>>>>
>>>>>>> I have a strange issue, with both settings below the tunnel goes up
>>>>>>> as it should, but only with SHA1 in ESP traffic goes through. When I
>>>>>>> ping the remote client with ESP SHA256 it times out, even though the
>>>>>>> tunnel reports as being up by Strongswan.
>>>>>>>
>>>>>>> Traffic working:
>>>>>>>
>>>>>>> ike=aes256-sha256-modp2048!
>>>>>>> esp=aes128-sha1-modp2048!
>>>>>>>
>>>>>>> Traffic not working:
>>>>>>>
>>>>>>> ike=aes256-sha256-modp2048!
>>>>>>> esp=aes256-sha256-modp2048!
>>>>>>>
>>>>>>> Below combo doesn't work either:
>>>>>>>
>>>>>>> ike=aes256-sha256-modp2048!
>>>>>>> esp=aes128-sha256-modp2048!
>>>>>>>
>>>>>>>
>>>>>>> Also, are above settings good? I'm having AES128 on ESP because with
>>>>>>> AES256 I loose too much througput. Do you have any suggestions for
>>>>>>> change?
>>>>>>>
>>>>>>>

More information about the Users mailing list