[strongSwan] swanctl -l - loses transport info?
Kostya Vasilyev
kman at fastmail.com
Thu Apr 4 20:32:38 CEST 2019
Hi,
I'm seeing something weird with the output of "swanctl -l".
Sometimes the SA's are output like this:
home_gre: #3, reqid 3, INSTALLED, TRANSPORT, ESP:AES_CTR-128/HMAC_SHA2_256_128
linode: #4, reqid 4, INSTALLED, TRANSPORT, ESP:AES_GCM_16-128
And sometimes like this:
home_gre: #6, reqid 6, INSTALLED, TRANSPORT, ESP:AES_CTR-128/HMAC_SHA2_256_128/ECP_256
linode: #4, reqid 4, INSTALLED, TRANSPORT, ESP:AES_GCM_16-128/ECP_256
The variation is in the "/ECP256" at the end.
I think this varies depending on how I start strongSwan (swanctl -q vs. systemctl restart) or maybe rekeying.
But my server and client configs don't change.
My server config is like this:
connections {
ec_tunnel {
version = 2
proposals = aes128-sha256-ecp256
// local, remote adds and auth omitted
children {
home_gre {
local_ts = dynamic[gre]
remote_ts = dynamic[gre]
mode = transport
esp_proposals = aes128ctr-sha256-ecp256
}
linode {
mode = transport
esp_proposals = aes128gcm128-ecp256
}
}
}
}
Client config for "linode" clinets:
connections {
ecdsa_tunnel {
version = 2
proposals = aes128-sha256-ecp256
// local, remote adds and auth omitted
children {
fra {
mode = transport
esp_proposals = aes128gcm128-ecp256
start_action = start
close_action = start
dpd_action = restart
}
}
}
}
Client "home_gre" (AES CTR) is a Miktotik at home and it also has ECP256 in its SA encryption config.
Does this look like a bug in swanctl -l ?
Or - most likely - user error?
I got ideas for my crypto settings from here:
https://wiki.strongswan.org/projects/strongswan/wiki/IKEv2CipherSuites
Suite-B-GCM-128:
IKEv2: aes128gcm16-prfsha256-ecp256
ESP: aes128gcm16-ecp256
Except I can't use GCM or PRF for IKE because of the Mikrotik client.
--
Kostya Vasilyev
kman at fastmail.com
More information about the Users
mailing list