[strongSwan] SHA1 vs SHA256
Dusan Ilic
dusan at comhem.se
Sun Aug 6 20:13:18 CEST 2017
Hi Thomas,
I haven't upgraded it cause that's not an option, both endpoints are
routers with Linux embedded.
Below is the output after some pings from both sides.
Strongswan 5.5.2
ip -s x s s
src 85.24.241.x dst 94.254.123.x
proto esp spi 0xce291943(3458799939) reqid 1(0x00000001) mode
tunnel
replay-window 0 seq 0x00000000 flag nopmtudisc af-unspec
(0x00100100)
auth-trunc hmac(sha256)
0xc45dd8403c10cfd32f8fe74003cc80a309b7a0decb185826ef62ac1763ae4bcd (256
bits) 128
enc cbc(aes)
0x0abb9115383986028a844ff1e71bd0f55aa22099d76785b288803ed7204aa23e (256
bits)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 2762(sec), hard 3600(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
1416(bytes), 25(packets)
add 2017-08-06 20:08:26 use 2017-08-06 20:08:31
stats:
replay-window 0 replay 0 failed 0
src 94.254.123.x dst 85.24.241.x
proto esp spi 0xc9359a4e(3375733326) reqid 1(0x00000001) mode
tunnel
replay-window 32 seq 0x00000000 flag nopmtudisc af-unspec
(0x00100100)
auth-trunc hmac(sha256)
0xfe9408ba634fe4276972fa79c9b60f12bffc766434298cb25738396d2b94dda9 (256
bits) 128
enc cbc(aes)
0x1fd6fd06781cee3bab6ed97a2f01793eded22f7360691430fdfb604c4e424066 (256
bits)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 2895(sec), hard 3600(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-08-06 20:08:26 use 2017-08-06 20:08:28
stats:
replay-window 0 replay 0 failed 49
Strongswan 5.2.2
ip -s x s s
src 94.254.123.x dst 85.24.241.x
proto esp spi 0xc9359a4e(3375733326) reqid 1(0x00000001) mode
tunnel
Den 2017-08-06 kl. 16:49, skrev Thomas Egerer:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hello Dusan,
>
> if you haven't yet updated your kernel, we might shed some light on
> the problem. Set up the tunnel with SHA256 and send a couple of
> packets from both sides. Then provide the output of
> 'ip -s x s s'
>
> Cheers,
> Thomas
>
>
> On 08/04/2017 12:23 PM, Dusan Ilic wrote:
>> Hello!
>>
>> I have a strange issue, with both settings below the tunnel goes up as it should, but only with SHA1 in ESP traffic goes through. When I ping the remote client with ESP SHA256 it times out, even though the tunnel reports as being up by Strongswan.
>>
>> Traffic working:
>>
>> ike=aes256-sha256-modp2048!
>> esp=aes128-sha1-modp2048!
>>
>> Traffic not working:
>>
>> ike=aes256-sha256-modp2048!
>> esp=aes256-sha256-modp2048!
>>
>> Below combo doesn't work either:
>>
>> ike=aes256-sha256-modp2048!
>> esp=aes128-sha256-modp2048!
>>
>>
>> Also, are above settings good? I'm having AES128 on ESP because with AES256 I loose too much througput. Do you have any suggestions for change?
>>
>>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQIcBAEBCAAGBQJZhyx2AAoJEGK31ONirBTGzcsP/1V6Ej3yIVM0YC4rcghhvlDs
> YMrjrUJgQV98S9Vu52a/SF3bddJ7YlG1LawboQAQqW5j2dYugDubDdULmWEHwUwb
> BdlY7RURKh5pDK+xYwgzuLrFmZtSddKfsDzzv5Ii9VmG1VkM+yyeqBqZn2DfeWeX
> K1JFe9AvI+5sFcwciLdh3SxRMI3rEKZTj17LnqLS/EMJoOn+jqmhBGGPkBkJDSOn
> VVRVh5atnPcM/CUsNoTF18pvhttejsD3aZSGpKvowQPuj6fut+aVn9ANnXodsME1
> tITleiiRSWOYrKT66wC5Yo23GhaMXBQWjGWd1r5z+FP4EVzRH6Ofia6QwNGHF71H
> t6ZN2ndBRjk1nQYHu7UdUKT/PECsxTn1sWCKHpgv6cSnWzVe0NULEgWsZ3+kv5R7
> g4R+lSiPWcBXTz+jSYmVP9y4WnkDIKg1aHHhkCI/m/crNSGKuLZkyDsGHmxzC2+f
> lXawcBX1y3P5lvAgHM8M541MA5AwJ5ZUtLoL8o6ME6mP+ojqhm0y4iC1CTUXLiq/
> vl/LvZbYYym03LhMyFkFNAmQZ0I7eJJJsXOpLDa75s1ZqsGITwJWRvE3/Lng2fq7
> 2RVIiMLsScxC9T6roU5cQ/TlcmIIvD4UN4o5WR8V6Vu3RLJrrzUDJE7ypNevmxKa
> GZwdsPHqskLfafxSG2X5
> =vURY
> -----END PGP SIGNATURE-----
More information about the Users
mailing list