[strongSwan] SHA1 vs SHA256

[Thomas Egerer]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Dusan,

if you haven't yet updated your kernel, we might shed some light on
the problem. Set up the tunnel with SHA256 and send a couple of
packets from both sides. Then provide the output of
'ip -s x s s'

Cheers,
Thomas


On 08/04/2017 12:23 PM, Dusan Ilic wrote:
> Hello!
> 
> I have a strange issue, with both settings below the tunnel goes up as it should, but only with SHA1 in ESP traffic goes through. When I ping the remote client with ESP SHA256 it times out, even though the tunnel reports as being up by Strongswan.
> 
> Traffic working:
> 
> ike=aes256-sha256-modp2048!
> esp=aes128-sha1-modp2048!
> 
> Traffic not working:
> 
> ike=aes256-sha256-modp2048!
> esp=aes256-sha256-modp2048!
> 
> Below combo doesn't work either:
> 
> ike=aes256-sha256-modp2048!
> esp=aes128-sha256-modp2048!
> 
> 
> Also, are above settings good? I'm having AES128 on ESP because with AES256 I loose too much througput. Do you have any suggestions for change?
> 
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJZhyx2AAoJEGK31ONirBTGzcsP/1V6Ej3yIVM0YC4rcghhvlDs
YMrjrUJgQV98S9Vu52a/SF3bddJ7YlG1LawboQAQqW5j2dYugDubDdULmWEHwUwb
BdlY7RURKh5pDK+xYwgzuLrFmZtSddKfsDzzv5Ii9VmG1VkM+yyeqBqZn2DfeWeX
K1JFe9AvI+5sFcwciLdh3SxRMI3rEKZTj17LnqLS/EMJoOn+jqmhBGGPkBkJDSOn
VVRVh5atnPcM/CUsNoTF18pvhttejsD3aZSGpKvowQPuj6fut+aVn9ANnXodsME1
tITleiiRSWOYrKT66wC5Yo23GhaMXBQWjGWd1r5z+FP4EVzRH6Ofia6QwNGHF71H
t6ZN2ndBRjk1nQYHu7UdUKT/PECsxTn1sWCKHpgv6cSnWzVe0NULEgWsZ3+kv5R7
g4R+lSiPWcBXTz+jSYmVP9y4WnkDIKg1aHHhkCI/m/crNSGKuLZkyDsGHmxzC2+f
lXawcBX1y3P5lvAgHM8M541MA5AwJ5ZUtLoL8o6ME6mP+ojqhm0y4iC1CTUXLiq/
vl/LvZbYYym03LhMyFkFNAmQZ0I7eJJJsXOpLDa75s1ZqsGITwJWRvE3/Lng2fq7
2RVIiMLsScxC9T6roU5cQ/TlcmIIvD4UN4o5WR8V6Vu3RLJrrzUDJE7ypNevmxKa
GZwdsPHqskLfafxSG2X5
=vURY
-----END PGP SIGNATURE-----