[strongSwan] configured DH group CURVE_25519 not supported

Eric Germann ekgermann at semperen.com
Wed Aug 30 10:31:30 CEST 2017 

You want --disable-curve25519 to be --enable-curve25519

EKG

> On Aug 30, 2017, at 4:24 AM, Gyula Kovács <gyula.kovacs.kkb.tech at gmail.com> wrote:
> 
> Hi All,
> 
> I've just updated strongSwan from 5.5.1 to 5.6.0.
> After the update, I got the "configured DH group CURVE_25519 not supported" error message.
> The target was working fine before the update, the configuration files were not changed during the update.
> I found some information on the internet, so I know that Curve25519 support was introduced in 5.5.2.
> I checked the build configuration options, and disabled the curve25519 support (--disable-curve25519), but it did not help.
> I have no idea what might cause the problem.
> Any help would be appreciated.
> 
> Best regards,
> Gyula Kovacs
> 
> I added the technical details here.
> 
> Target system:
> - Linux 3.18.31 #1 PREEMPT Tue Aug 29 12:27:09 CEST 2017 armv7l GNU/Linux
> - OpenSSL 1.0.2l  25 May 2017
> - strongSwan configuration options:
>   --build=x86_64-linux --host=arm-oe-linux-gnueabi --target=arm-oe-linux-gnueabi
>   --prefix=/usr --exec_prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin
>   --libexecdir=/usr/lib/strongswan --datadir=/usr/share --sysconfdir=/etc
>   --sharedstatedir=/com --localstatedir=/var --libdir=/usr/lib --includedir=/usr/include
>   --oldincludedir=/usr/include --infodir=/usr/share/info --mandir=/usr/share/man
>   --disable-silent-rules --disable-dependency-tracking --with-libtool-sysroot=/oe-core/build/tmp-glibc/sysroots/xxxxxxxx
>   --without-lib-prefix --without-systemdsystemunitdir --disable-aesni --enable-charon --enable-curl --disable-curve25519
>   --enable-gmp --disable-ldap --disable-mysql --enable-openssl --disable-scepclient --disable-soup --enable-sqlite
>   --enable-stroke --disable-swanctl --disable-systemd
> 
> Opponent:
> - Linux 3.16.0-4-586 #1 Debian 3.16.43-2 (2017-04-30) i686 GNU/Linux
> - OpenSSL 1.0.1t  3 May 2016
> - strongSwan configuration options:
>   ./configure --prefix=/usr --sysconfdir=/etc --disable-curve25519
> 
> Error message:
> root at mdm9640:~# ipsec up host-host-psk-lan
> initiating IKE_SA host-host-psk-lan[1] to 160.48.99.124
> configured DH group CURVE_25519 not supported
> tried to checkin and delete nonexisting IKE_SA
> establishing connection 'host-host-psk-lan' failed
> root at mdm9640:~#
> 
> root at mdm9640:~# ipsec statusall
> Status of IKE charon daemon (strongSwan 5.6.0, Linux 3.18.31, armv7l):
>   uptime: 13 seconds, since Jan 01 00:01:30 1970
>   malloc: sbrk 540672, mmap 0, used 229400, free 311272
>   worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
>   loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gmp xcbc cmac hmac curl sqlite attr kernel-netlink resolve socket-default stroke vici updown xauth-generic
> Listening IP addresses:
>   160.48.99.98
>   160.48.199.98
> Connections:
> host-host-psk-lan:  160.48.99.98...160.48.99.124  IKEv2
> host-host-psk-lan:   local:  [160.48.99.98] uses pre-shared key authentication
> host-host-psk-lan:   remote: [160.48.99.124] uses pre-shared key authentication
> host-host-psk-lan:   child:  dynamic === dynamic TRANSPORT
> Security Associations (0 up, 0 connecting):
>   none
> root at mdm9640:~#
> 
> Log files:
> root at mdm9640:~# cat /var/log/charon.log
> Jan  1 00:03:35 00[DMN] Starting IKE charon daemon (strongSwan 5.6.0, Linux 3.18.31, armv7l)
> Jan  1 00:03:35 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
> Jan  1 00:03:35 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
> Jan  1 00:03:35 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
> Jan  1 00:03:35 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
> Jan  1 00:03:35 00[CFG] loading crls from '/etc/ipsec.d/crls'
> Jan  1 00:03:35 00[CFG] loading secrets from '/etc/ipsec.secrets'
> Jan  1 00:03:35 00[CFG]   loaded IKE secret for 160.48.99.124
> Jan  1 00:03:35 00[CFG]   loaded IKE secret for 160.48.199.124
> Jan  1 00:03:35 00[CFG]   loaded RSA private key from '/etc/ipsec.d/private/ATM-02_IPsec-internal.key'
> Jan  1 00:03:35 00[CFG]   loaded RSA private key from '/etc/ipsec.d/private/ATM-02_IPsec-internal.key'
> Jan  1 00:03:35 00[LIB] loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gmp xcbc cmac hmac curl sqlite attr kernel-netlink resolve socket-default stroke vici updown xauth-generic
> Jan  1 00:03:35 00[JOB] spawning 16 worker threads
> Jan  1 00:03:35 05[CFG] received stroke: add connection 'host-host-psk-lan'
> Jan  1 00:03:35 05[CFG] added configuration 'host-host-psk-lan'
> Jan  1 00:03:54 07[CFG] received stroke: initiate 'host-host-psk-lan'
> Jan  1 00:03:54 09[IKE] <host-host-psk-lan|1> initiating IKE_SA host-host-psk-lan[1] to 160.48.99.124
> Jan  1 00:03:54 09[IKE] <host-host-psk-lan|1> configured DH group CURVE_25519 not supported
> Jan  1 00:03:54 09[MGR] <host-host-psk-lan|1> tried to checkin and delete nonexisting IKE_SA
> Jan  1 00:04:02 00[DMN] signal of type SIGINT received. Shutting down
> root at mdm9640:~#
> 
> Aug 30 10:12:51 mgu charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.6.0, Linux 3.16.0-4-586, i686)
> Aug 30 10:12:51 mgu charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
> Aug 30 10:12:51 mgu charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
> Aug 30 10:12:51 mgu charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
> Aug 30 10:12:51 mgu charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
> Aug 30 10:12:51 mgu charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
> Aug 30 10:12:51 mgu charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
> Aug 30 10:12:51 mgu charon: 00[CFG]   loaded IKE secret for 160.48.99.98
> Aug 30 10:12:51 mgu charon: 00[CFG]   loaded IKE secret for 160.48.199.98
> Aug 30 10:12:51 mgu charon: 00[CFG]   loaded RSA private key from '/etc/ipsec.d/private/MGU_01_IPsec-internal.key'
> Aug 30 10:12:51 mgu charon: 00[CFG]   loaded RSA private key from '/etc/ipsec.d/private/MGU_01_IPsec-internal.key'
> Aug 30 10:12:51 mgu charon: 00[LIB] loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke vici updown xauth-generic
> Aug 30 10:12:51 mgu charon: 00[JOB] spawning 16 worker threads
> Aug 30 10:12:51 mgu charon: 05[CFG] received stroke: add connection 'host-host-psk-lan'
> Aug 30 10:12:51 mgu charon: 05[CFG] added configuration 'host-host-psk-lan'
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170830/26f23114/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3705 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170830/26f23114/attachment-0001.bin>

More information about the Users mailing list