[strongSwan] How to use af-alg plugin
Roee Agami
ragami at bluecedar.com
Fri Aug 10 22:49:46 CEST 2018
I checked the daemons status and it looks like charon is constantly rolling. Dmesg shows the call trace but I'm not able to get useful info from it.
The config files are empty so it means to me that it's only the selection of plugins is what causing this behavior.
Can you tell me which plugins should I have in order for it to work with af-alg?
Roee.
On 8/10/18, 3:31 PM, "Noel Kuntze" <noel.kuntze at thermi.consulting> wrote:
I suppose then the daemon isn't running or you fucked up something big time.
Am 10.08.18 um 21:21 schrieb Roee Agami:
> Thanks Noel,
>
> Since I haven't specified anything in strongswan.conf, I assume that all of the plugins I built will be loaded.
> "ipsec listalgs" prints nothing (similar to ipsec statusall).
>
> Also, any swanctl command I run simply hangs and doesn't finish or print anything.
>
> Any idea why?
>
> Roee.
>
> On 8/10/18, 2:43 PM, "Noel Kuntze" <noel.kuntze at thermi.consulting> wrote:
>
> Hello,
>
> The output of "./configure" only tells you what is built at build time, not what is loaded at run time.
> They're complementary. You can't load a plugin that wasn't build. To be able to load a plugin, it has to be built and you need to have it.
>
> Yes, af-alg does what you want. Your expectation to get stuff in the logs when it works is wrong. No crypto plugin ever prints anything regarding the usage, as long as nothing bad/critical happens.
> You need to check the output of `ipsec listalgs` to see which plugin provides which algorithms.
>
> Algorithms are provided by the plugin which provides them first relative to when the plugins are loaded when the daemon starts.
>
> Kind regards
>
> Noel
>
>
> Am 10.08.18 um 14:43 schrieb Roee Agami:
> >
> >
> >
> > Hi,
> >
> >
> >
> > I wish to have IKE use the crypto services of the kernel rather than the default user space ones. It was brought to my attention that af-alg plugin allows such behavior.
> >
> >
> >
> > Now I am trying to build strongSwan with that plugin. I know of this example config:
> >
> > https://www.strongswan.org/testing/testresults/af-alg/rw-cert/
> >
> >
> >
> > And was trying to follow it, loading the same plugins listed in Carol’s strongswan.conf (except that I was loading them using the configure script instead of strongswan.conf).
> >
> >
> >
> > Here is the output of the configure script command:
> >
> >
> >
> > strongSwan will be built with the following plugins
> >
> > libstrongswan: test-vectors mgf1 random nonce x509 revocation constraints pubkey pkcs1 pem openssl af-alg gmp ctr ccm gcm curl
> >
> > libcharon: kernel-netlink socket-default stroke vici updown counters
> >
> > libtnccs:
> >
> > libtpmtss:
> >
> >
> >
> > Then I make and make install it, and restart ipsec.
> >
> > Looking at the logs, I see messages indicating the various plugins are loaded successfully, and the last message I see is that ‘af-alg’ plugin is loaded successfully. I don’t see any other messages after that.
> >
> >
> >
> > Running ‘ipsec statusall’ doesn’t show any output at all.
> >
> >
> >
> > So my conclusion is that strongSwan is not running the way I wanted it to.
> >
> > Can you help me figure out what am I missing?
> >
> >
> >
> > Thanks,
> >
> > Roee.
> >
> >
> >
> >
> >
>
> --
> Noel Kuntze
> IT security consultant
>
> GPG Key ID: 0x0739AD6C
> Fingerprint: 3524 93BE B5F7 8E63 1372 AF2D F54E E40B 0739 AD6C
>
>
>
>
--
Noel Kuntze
IT security consultant
GPG Key ID: 0x0739AD6C
Fingerprint: 3524 93BE B5F7 8E63 1372 AF2D F54E E40B 0739 AD6C
More information about the Users
mailing list