[strongSwan] How to use af-alg plugin

Noel Kuntze noel.kuntze at thermi.consulting
Fri Aug 10 20:43:26 CEST 2018 

Hello,

The output of "./configure" only tells you what is built at build time, not what is loaded at run time.
They're complementary. You can't load a plugin that wasn't build. To be able to load a plugin, it has to be built and you need to have it.

Yes, af-alg does what you want. Your expectation to get stuff in the logs when it works is wrong. No crypto plugin ever prints anything regarding the usage, as long as nothing bad/critical happens.
You need to check the output of `ipsec listalgs` to see which plugin provides which algorithms.

Algorithms are provided by the plugin which provides them first relative to when the plugins are loaded when the daemon starts.

Kind regards

Noel


Am 10.08.18 um 14:43 schrieb Roee Agami:
>
>  
>
> Hi,
>
>  
>
> I wish to have IKE use the crypto services of the kernel rather than the default user space ones. It was brought to my attention that af-alg plugin allows such behavior.
>
>  
>
> Now I am trying to build strongSwan with that plugin. I know of this example config:
>
> https://www.strongswan.org/testing/testresults/af-alg/rw-cert/
>
>  
>
> And was trying to follow it, loading the same plugins listed in Carol’s strongswan.conf (except that I was loading them using the configure script instead of strongswan.conf).
>
>  
>
> Here is the output of the configure script command:
>
>  
>
> strongSwan will be built with the following plugins
>
> libstrongswan: test-vectors mgf1 random nonce x509 revocation constraints pubkey pkcs1 pem openssl af-alg gmp ctr ccm gcm curl
>
> libcharon:         kernel-netlink socket-default stroke vici updown counters
>
> libtnccs:
>
> libtpmtss:
>
>  
>
> Then I make and make install it, and restart ipsec.
>
> Looking at the logs, I see messages indicating the various plugins are loaded successfully, and the last message I see is that ‘af-alg’ plugin is loaded successfully. I don’t see any other messages after that.
>
>  
>
> Running ‘ipsec statusall’ doesn’t show any output at all.
>
>  
>
> So my conclusion is that strongSwan is not running the way I wanted it to.
>
> Can you help me figure out what am I missing?
>
>  
>
> Thanks,
>
> Roee.
>
>  
>
>  
>

-- 
Noel Kuntze
IT security consultant

GPG Key ID: 0x0739AD6C
Fingerprint: 3524 93BE B5F7 8E63 1372 AF2D F54E E40B 0739 AD6C


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180810/1209ff4e/attachment-0001.sig>

More information about the Users mailing list