[strongSwan] aesxcbc did not work for ph2 but worked for ph1
Makarand Pradhan
MakarandPradhan at is5com.com
Thu Sep 3 17:38:11 CEST 2020
Good morning All,
I am trying to use aesxcbc for integrity. It works when I use it with IKE but throws a netlink error while trying to use with ESP.
Strongswan is compiled with --enable-xcbc.
Would highly appreciate any suggestions to resolve the problem. Tx.
Logs below:
My ipsec.conf is given below:
ike=aes256-aesxcbc-modp1536!
esp=aes256-aesxcbc-modp2048!
AESXBC is listed in Integrity algos:
root at t1024rdb:~# swanctl --list-algs
encryption:
AES_CBC[aes]
AES_ECB[aes]
3DES_CBC[des]
DES_CBC[des]
DES_ECB[des]
BLOWFISH_CBC[blowfish]
RC2_CBC[rc2]
integrity:
AES_XCBC_96[xcbc]
AES_CMAC_96[cmac]
HMAC_SHA1_96[hmac]
HMAC_SHA1_128[hmac]
HMAC_SHA1_160[hmac]
HMAC_MD5_96[hmac]
HMAC_MD5_128[hmac]
HMAC_SHA2_256_128[hmac]
HMAC_SHA2_256_256[hmac]
HMAC_SHA2_384_192[hmac]
HMAC_SHA2_384_384[hmac]
HMAC_SHA2_512_256[hmac]
HMAC_SHA2_512_512[hmac]
aead:
hasher:
HASH_SHA1[sha1]
HASH_SHA2_224[sha2]
HASH_SHA2_256[sha2]
HASH_SHA2_384[sha2]
HASH_SHA2_512[sha2]
HASH_MD5[md5]
HASH_IDENTITY[curve25519]
SA Established:
root at t1024rdb:~# ipsec statusall m1
Status of IKE charon daemon (weakSwan 5.8.2, Linux 4.1.35-rt41, ppc64):
uptime: 9 seconds, since Nov 05 21:27:35 2018
malloc: sbrk 2027520, mmap 0, used 288528, free 1738992
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 6
loaded plugins: charon aes des blowfish rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp curve25519 xcbc cmac hmac drbg attr kernel-netlink resolve socket-default stroke vici updown xauth-generic counters
Listening IP addresses:
10.10.5.1
192.168.51.2
192.168.52.2
172.16.31.1
172.16.32.1
Connections:
m1: 172.16.31.1...172.16.31.2 IKEv2, dpddelay=60s
m1: local: [172.16.31.1] uses pre-shared key authentication
m1: remote: [172.16.31.2] uses pre-shared key authentication
m1: child: 192.168.9.0/24 192.168.51.0/24 === 10.10.9.0/24 192.168.61.0/24 TUNNEL, dpdaction=clear
Routed Connections:
m1{1}: ROUTED, TUNNEL, reqid 1
m1{1}: 192.168.9.0/24 192.168.51.0/24 === 10.10.9.0/24 192.168.61.0/24
Security Associations (1 up, 0 connecting):
m1[1]: ESTABLISHED 7 seconds ago, 172.16.31.1[172.16.31.1]...172.16.31.2[172.16.31.2]
m1[1]: IKEv2 SPIs: eca1d32c9e634128_i* b1157e6f487ea502_r, pre-shared key reauthentication in 39 minutes
m1[1]: IKE proposal: AES_CBC_256/AES_XCBC_96/PRF_AES128_XCBC/MODP_1536
root at t1024rdb:~#
CHILD-SA fails:
11[IKE] 172.16.31.1 is initiating an IKE_SA
11[CFG] selected proposal: IKE:AES_CBC_256/AES_XCBC_96/PRF_AES128_XCBC/MODP_1536
11[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
11[NET] sending packet: from 172.16.31.2[500] to 172.16.31.1[500] (408 bytes)
13[NET] received packet: from 172.16.31.1[500] to 172.16.31.2[500] (268 bytes)
13[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
13[CFG] looking for peer configs matching 172.16.31.2[172.16.31.2]...172.16.31.1[172.16.31.1]
13[CFG] selected peer config 'm1'
13[IKE] authentication of '172.16.31.1' with pre-shared key successful
13[IKE] authentication of '172.16.31.2' (myself) with pre-shared key
13[IKE] IKE_SA m1[1] established between 172.16.31.2[172.16.31.2]...172.16.31.1[172.16.31.1]
13[IKE] scheduling reauthentication in 2921s
13[IKE] maximum IKE_SA lifetime 3461s
13[CFG] selected proposal: ESP:AES_CBC_256/AES_XCBC_96/NO_EXT_SEQ
13[KNL] received netlink error: Function not implemented (38)
13[KNL] unable to add SAD entry with SPI cadbb51e (FAILED)
13[KNL] received netlink error: Function not implemented (38)
13[KNL] unable to add SAD entry with SPI c05ee772 (FAILED)
13[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel
13[IKE] failed to establish CHILD_SA, keeping IKE_SA
Kind rgds,
Makarand Pradhan
Senior Software Engineer.
iS5 Communications Inc.
5895 Ambler Dr,
Mississauga, Ontario
L4W 5B7
Main Line: +1-844-520-0588 Ext. 129
Direct Line: +1-289-724-2296
Cell: +1-226-501-5666
Fax:+1-289-401-5206
Email: makarandpradhan at is5com.com
Website: www.iS5Com.com
Confidentiality Notice:
This message is intended only for the named recipients. This message may contain information that is confidential and/or exempt from disclosure under applicable law. Any dissemination or copying of this message by anyone other than a named recipient is strictly prohibited. If you are not a named recipient or an employee or agent responsible for delivering this message to a named recipient, please notify us immediately, and permanently destroy this message and any copies you may have. Warning: Email may not be secure unless properly encrypted.
More information about the Users
mailing list