[strongSwan] aesxcbc did not work for ph2 but worked for ph1

Makarand Pradhan MakarandPradhan at is5com.com
Thu Sep 3 17:38:11 CEST 2020 

Good morning All,

I am trying to use aesxcbc for integrity. It works when I use it with IKE but throws a netlink error while trying to use with ESP. 

Strongswan is compiled with --enable-xcbc.

Would highly appreciate any suggestions to resolve the problem. Tx.

Logs below:

My ipsec.conf is given below:

	ike=aes256-aesxcbc-modp1536!
	esp=aes256-aesxcbc-modp2048!

AESXBC is listed in Integrity algos:
root at t1024rdb:~# swanctl --list-algs
encryption:
  AES_CBC[aes]
  AES_ECB[aes]
  3DES_CBC[des]
  DES_CBC[des]
  DES_ECB[des]
  BLOWFISH_CBC[blowfish]
  RC2_CBC[rc2]
integrity:
  AES_XCBC_96[xcbc]
  AES_CMAC_96[cmac]
  HMAC_SHA1_96[hmac]
  HMAC_SHA1_128[hmac]
  HMAC_SHA1_160[hmac]
  HMAC_MD5_96[hmac]
  HMAC_MD5_128[hmac]
  HMAC_SHA2_256_128[hmac]
  HMAC_SHA2_256_256[hmac]
  HMAC_SHA2_384_192[hmac]
  HMAC_SHA2_384_384[hmac]
  HMAC_SHA2_512_256[hmac]
  HMAC_SHA2_512_512[hmac]
aead:
hasher:
  HASH_SHA1[sha1]
  HASH_SHA2_224[sha2]
  HASH_SHA2_256[sha2]
  HASH_SHA2_384[sha2]
  HASH_SHA2_512[sha2]
  HASH_MD5[md5]
  HASH_IDENTITY[curve25519]

SA Established:
root at t1024rdb:~# ipsec statusall m1
Status of IKE charon daemon (weakSwan 5.8.2, Linux 4.1.35-rt41, ppc64):
  uptime: 9 seconds, since Nov 05 21:27:35 2018
  malloc: sbrk 2027520, mmap 0, used 288528, free 1738992
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 6
  loaded plugins: charon aes des blowfish rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp curve25519 xcbc cmac hmac drbg attr kernel-netlink resolve socket-default stroke vici updown xauth-generic counters
Listening IP addresses:
  10.10.5.1
  192.168.51.2
  192.168.52.2
  172.16.31.1
  172.16.32.1
Connections:
          m1:  172.16.31.1...172.16.31.2  IKEv2, dpddelay=60s
          m1:   local:  [172.16.31.1] uses pre-shared key authentication
          m1:   remote: [172.16.31.2] uses pre-shared key authentication
          m1:   child:  192.168.9.0/24 192.168.51.0/24 === 10.10.9.0/24 192.168.61.0/24 TUNNEL, dpdaction=clear
Routed Connections:
          m1{1}:  ROUTED, TUNNEL, reqid 1
          m1{1}:   192.168.9.0/24 192.168.51.0/24 === 10.10.9.0/24 192.168.61.0/24
Security Associations (1 up, 0 connecting):
          m1[1]: ESTABLISHED 7 seconds ago, 172.16.31.1[172.16.31.1]...172.16.31.2[172.16.31.2]
          m1[1]: IKEv2 SPIs: eca1d32c9e634128_i* b1157e6f487ea502_r, pre-shared key reauthentication in 39 minutes
          m1[1]: IKE proposal: AES_CBC_256/AES_XCBC_96/PRF_AES128_XCBC/MODP_1536
root at t1024rdb:~#


CHILD-SA fails:

11[IKE] 172.16.31.1 is initiating an IKE_SA
11[CFG] selected proposal: IKE:AES_CBC_256/AES_XCBC_96/PRF_AES128_XCBC/MODP_1536
11[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
11[NET] sending packet: from 172.16.31.2[500] to 172.16.31.1[500] (408 bytes)
13[NET] received packet: from 172.16.31.1[500] to 172.16.31.2[500] (268 bytes)
13[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
13[CFG] looking for peer configs matching 172.16.31.2[172.16.31.2]...172.16.31.1[172.16.31.1]
13[CFG] selected peer config 'm1'
13[IKE] authentication of '172.16.31.1' with pre-shared key successful
13[IKE] authentication of '172.16.31.2' (myself) with pre-shared key
13[IKE] IKE_SA m1[1] established between 172.16.31.2[172.16.31.2]...172.16.31.1[172.16.31.1]
13[IKE] scheduling reauthentication in 2921s
13[IKE] maximum IKE_SA lifetime 3461s
13[CFG] selected proposal: ESP:AES_CBC_256/AES_XCBC_96/NO_EXT_SEQ
13[KNL] received netlink error: Function not implemented (38)
13[KNL] unable to add SAD entry with SPI cadbb51e (FAILED)
13[KNL] received netlink error: Function not implemented (38)
13[KNL] unable to add SAD entry with SPI c05ee772 (FAILED)
13[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel
13[IKE] failed to establish CHILD_SA, keeping IKE_SA



Kind rgds,
Makarand Pradhan
Senior Software Engineer.
iS5 Communications Inc.
5895 Ambler Dr,
Mississauga, Ontario
L4W 5B7
Main Line: +1-844-520-0588 Ext. 129
Direct Line: +1-289-724-2296
Cell: +1-226-501-5666
Fax:+1-289-401-5206
Email: makarandpradhan at is5com.com
Website: www.iS5Com.com

 
Confidentiality Notice: 
This message is intended only for the named recipients. This message may contain information that is confidential and/or exempt from disclosure under applicable law. Any dissemination or copying of this message by anyone other than a named recipient is strictly prohibited. If you are not a named recipient or an employee or agent responsible for delivering this message to a named recipient, please notify us immediately, and permanently destroy this message and any copies you may have. Warning: Email may not be secure unless properly encrypted.

More information about the Users mailing list