[strongSwan] How to use af-alg plugin

Roee Agami ragami at bluecedar.com
Fri Aug 10 21:21:27 CEST 2018


Thanks Noel,

Since I haven't specified anything in strongswan.conf, I assume that all of the plugins I built will be loaded.
"ipsec listalgs" prints nothing (similar to ipsec statusall).

Also, any swanctl command I run simply hangs and doesn't finish or print anything.

Any idea why?

Roee.

On 8/10/18, 2:43 PM, "Noel Kuntze" <noel.kuntze at thermi.consulting> wrote:

    Hello,
    
    The output of "./configure" only tells you what is built at build time, not what is loaded at run time.
    They're complementary. You can't load a plugin that wasn't build. To be able to load a plugin, it has to be built and you need to have it.
    
    Yes, af-alg does what you want. Your expectation to get stuff in the logs when it works is wrong. No crypto plugin ever prints anything regarding the usage, as long as nothing bad/critical happens.
    You need to check the output of `ipsec listalgs` to see which plugin provides which algorithms.
    
    Algorithms are provided by the plugin which provides them first relative to when the plugins are loaded when the daemon starts.
    
    Kind regards
    
    Noel
    
    
    Am 10.08.18 um 14:43 schrieb Roee Agami:
    >
    >  
    >
    > Hi,
    >
    >  
    >
    > I wish to have IKE use the crypto services of the kernel rather than the default user space ones. It was brought to my attention that af-alg plugin allows such behavior.
    >
    >  
    >
    > Now I am trying to build strongSwan with that plugin. I know of this example config:
    >
    > https://www.strongswan.org/testing/testresults/af-alg/rw-cert/
    >
    >  
    >
    > And was trying to follow it, loading the same plugins listed in Carol’s strongswan.conf (except that I was loading them using the configure script instead of strongswan.conf).
    >
    >  
    >
    > Here is the output of the configure script command:
    >
    >  
    >
    > strongSwan will be built with the following plugins
    >
    > libstrongswan: test-vectors mgf1 random nonce x509 revocation constraints pubkey pkcs1 pem openssl af-alg gmp ctr ccm gcm curl
    >
    > libcharon:         kernel-netlink socket-default stroke vici updown counters
    >
    > libtnccs:
    >
    > libtpmtss:
    >
    >  
    >
    > Then I make and make install it, and restart ipsec.
    >
    > Looking at the logs, I see messages indicating the various plugins are loaded successfully, and the last message I see is that ‘af-alg’ plugin is loaded successfully. I don’t see any other messages after that.
    >
    >  
    >
    > Running ‘ipsec statusall’ doesn’t show any output at all.
    >
    >  
    >
    > So my conclusion is that strongSwan is not running the way I wanted it to.
    >
    > Can you help me figure out what am I missing?
    >
    >  
    >
    > Thanks,
    >
    > Roee.
    >
    >  
    >
    >  
    >
    
    -- 
    Noel Kuntze
    IT security consultant
    
    GPG Key ID: 0x0739AD6C
    Fingerprint: 3524 93BE B5F7 8E63 1372 AF2D F54E E40B 0739 AD6C
    
    
    



More information about the Users mailing list