[strongSwan] Blowfish not working for IKE, but works for CHILD_SA (Linux strongSwan U5.8.2/K4.1.35-rt41)
Makarand Pradhan
MakarandPradhan at is5com.com
Wed Aug 26 18:06:10 CEST 2020
Thanks Tobias.
I configured with --enable-blowfish and it worked for me. I can now see BLOWFISH_CBC in encryptions and ike can use blowfish.
sh-4.3# swanctl --list-algs
encryption:
AES_CBC[aes]
AES_ECB[aes]
3DES_CBC[des]
DES_CBC[des]
DES_ECB[des]
BLOWFISH_CBC[blowfish]
Tunnel status:
...
m1[18]: IKEv2 SPIs: 1b652ce7683f67fa_i 269af6263b48d37e_r*, pre-shared key reauthentication in 45 minutes
m1[18]: IKE proposal: BLOWFISH_CBC_128/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_1536
Kind rgds,
Makarand Pradhan
Senior Software Engineer.
iS5 Communications Inc.
5895 Ambler Dr,
Mississauga, Ontario
L4W 5B7
Main Line: +1-844-520-0588 Ext. 129
Direct Line: +1-289-724-2296
Cell: +1-226-501-5666
Fax:+1-289-401-5206
Email: makarandpradhan at is5com.com
Website: www.iS5Com.com
Confidentiality Notice:
This message is intended only for the named recipients. This message may contain information that is confidential and/or exempt from disclosure under applicable law. Any dissemination or copying of this message by anyone other than a named recipient is strictly prohibited. If you are not a named recipient or an employee or agent responsible for delivering this message to a named recipient, please notify us immediately, and permanently destroy this message and any copies you may have. Warning: Email may not be secure unless properly encrypted.
-----Original Message-----
From: Tobias Brunner <tobias at strongswan.org>
Sent: August 26, 2020 4:04 AM
To: Makarand Pradhan <MakarandPradhan at is5com.com>; users at lists.strongswan.org
Subject: Re: [strongSwan] Blowfish not working for IKE, but works for CHILD_SA (Linux strongSwan U5.8.2/K4.1.35-rt41)
Hi Makarand,
> Log:
> root at t1024rdb:~# swanctl --list-algs
As you can see in this list, there is no plugin that provides the BLOWFISH_CBC algorithm. There are three plugins that can provide it, blowfish (obviously), gcrypt and openssl. The latter two only if the underlying library was built with that algorithm. So make sure you enable/build the plugins/library you need if you want to use that algorithm.
Regards,
Tobias
More information about the Users
mailing list