[strongSwan] cipher choice causing issue
Jamie Stuart
jamie at onebillion.org
Wed Jul 5 17:02:40 CEST 2017
Thanks Tobias,
I compiled the kernel with res-gcm support and it now works fine.
One other issue - the client is actually a router, and NATed clients behind it can’t seem to access the internet, although the client itself can.
Any thoughts?
> On 5 Jul 2017, at 15:48, Tobias Brunner <tobias at strongswan.org> wrote:
>
> Hi Jamie,
>
>> Server is Ubuntu 17, Client LEDE trunk. Authentication happens, but I think client and server cannot agree on an algorithm?
>
> They do, but the chosen algorithm (probably AES-GCM) apparently is not
> supported by the client's kernel:
>
>> 16[KNL] received netlink error: Function not implemented (89)
>> 16[KNL] unable to add SAD entry with SPI c09ec43d (FAILED)
>> 16[KNL] received netlink error: Function not implemented (89)
>> 16[KNL] unable to add SAD entry with SPI ca9fa951 (FAILED)
>
> Either change the kernel or include a supported algorithm in the ESP
> proposal (e.g. esp=aes256gcm16-aes256-sha256! on the server and
> esp=aes256-sha256! on the client to use AES in CBC mode).
>
> Regards,
> Tobias
More information about the Users
mailing list