[strongSwan] Blowfish not working for IKE, but works for CHILD_SA (Linux strongSwan U5.8.2/K4.1.35-rt41)

Makarand Pradhan MakarandPradhan at is5com.com
Tue Aug 25 19:21:12 CEST 2020 

Hi All,

While trying Blowfish, it was noticed that blowfish works for the CHILD_SA, but causes a 

06[IKE] ENCRYPTION_ALGORITHM BLOWFISH_CBC (key size 128) not supported!

If used for IKE.

Would appreciate any suggestions to get blowfish working with IKE. Tx.

The kernel is compiled with:

CONFIG_CRYPTO_BLOWFISH=y

Log of testing:
Scenario: Blowfish does not work for IKE:
Ipsec.conf
        ike=blowfish-sha512-modp1536!
        esp=blowfish-sha256-modp2048!

12[CFG] selected proposal: IKE:BLOWFISH_CBC_128/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_1536
12[IKE] ENCRYPTION_ALGORITHM BLOWFISH_CBC (key size 128) not supported!


Scenario: Blowfish works for ESP:
Ipsec.conf:
        ike=des-sha512-modp1536!
        esp=blowfish-sha256-modp2048!

          m1[1]: IKE proposal: DES_CBC/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_1536
          m1{3}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: cc5db5f5_i cd44c39e_o
          m1{3}:  BLOWFISH_CBC_128/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o, rekeying in 107 minutes
          m1{3}:   10.10.9.0/24 192.168.61.0/24 === 192.168.9.0/24 192.168.51.0/24

Log:
root at t1024rdb:~# swanctl --list-algs
encryption:
  AES_CBC[aes]
  AES_ECB[aes]
  3DES_CBC[des]
  DES_CBC[des]
  DES_ECB[des]
  RC2_CBC[rc2]
integrity:
  AES_XCBC_96[xcbc]
  AES_CMAC_96[cmac]
  HMAC_SHA1_96[hmac]
  HMAC_SHA1_128[hmac]
  HMAC_SHA1_160[hmac]
  HMAC_MD5_96[hmac]
  HMAC_MD5_128[hmac]
  HMAC_SHA2_256_128[hmac]
  HMAC_SHA2_256_256[hmac]
  HMAC_SHA2_384_192[hmac]
  HMAC_SHA2_384_384[hmac]
  HMAC_SHA2_512_256[hmac]
  HMAC_SHA2_512_512[hmac]
aead:
hasher:
  HASH_SHA1[sha1]
  HASH_SHA2_224[sha2]
  HASH_SHA2_256[sha2]
  HASH_SHA2_384[sha2]
  HASH_SHA2_512[sha2]
  HASH_MD5[md5]
  HASH_IDENTITY[curve25519]
prf:
  PRF_KEYED_SHA1[sha1]
  PRF_FIPS_SHA1_160[fips-prf]
  PRF_AES128_XCBC[xcbc]
  PRF_AES128_CMAC[cmac]
  PRF_HMAC_SHA1[hmac]
  PRF_HMAC_MD5[hmac]
  PRF_HMAC_SHA2_256[hmac]
  PRF_HMAC_SHA2_384[hmac]
  PRF_HMAC_SHA2_512[hmac]
xof:
  XOF_MGF1_SHA1[mgf1]
  XOF_MGF1_SHA224[mgf1]
  XOF_MGF1_SHA256[mgf1]
  XOF_MGF1_SHA384[mgf1]
  XOF_MGF1_SHA512[mgf1]
drbg:
  DRBG_CTR_AES128[drbg]
  DRBG_CTR_AES192[drbg]
  DRBG_CTR_AES256[drbg]
  DRBG_HMAC_SHA1[drbg]
  DRBG_HMAC_SHA256[drbg]
  DRBG_HMAC_SHA384[drbg]
  DRBG_HMAC_SHA512[drbg]
dh:
  MODP_3072[gmp]
  MODP_4096[gmp]
  MODP_6144[gmp]
  MODP_8192[gmp]
  MODP_2048[gmp]
  MODP_2048_224[gmp]
  MODP_2048_256[gmp]
  MODP_1536[gmp]
  MODP_1024[gmp]
  MODP_1024_160[gmp]
  MODP_768[gmp]
  MODP_CUSTOM[gmp]
  CURVE_25519[curve25519]
rng:
  RNG_STRONG[random]
  RNG_TRUE[random]
nonce-gen:
  NONCE_GEN[nonce]
root at t1024rdb:~#

Kind rgds,
Makarand Pradhan
Senior Software Engineer.
iS5 Communications Inc.
5895 Ambler Dr,
Mississauga, Ontario
L4W 5B7
Main Line: +1-844-520-0588 Ext. 129
Direct Line: +1-289-724-2296
Cell: +1-226-501-5666
Fax:+1-289-401-5206
Email: makarandpradhan at is5com.com
Website: www.iS5Com.com

 
Confidentiality Notice: 
This message is intended only for the named recipients. This message may contain information that is confidential and/or exempt from disclosure under applicable law. Any dissemination or copying of this message by anyone other than a named recipient is strictly prohibited. If you are not a named recipient or an employee or agent responsible for delivering this message to a named recipient, please notify us immediately, and permanently destroy this message and any copies you may have. Warning: Email may not be secure unless properly encrypted.

More information about the Users mailing list