strongSwan

Changes to the sources since 5.3 (ie 5.3.1,.2,.3) seem to have broken kernel-libipsec with NULL encryption as follows:

We are trying to run kernel-libipsec with null esp encryption using strongswan 5.3.2 on Centos 7.

When it attempt to setup the child SA we get the following error in the logs

Oct 21 14:06:54 irisp-asgw-2 charon: 04[CFG] selecting traffic selectors for other:
Oct 21 14:06:54 irisp-asgw-2 charon: 04[CFG] config: 10.10.0.0/24, received: 10.10.0.0/24 => match: 10.10.0.0/24
Oct 21 14:06:54 irisp-asgw-2 charon: 04[ESP] failed to create ESP context: creating iv gen failed
Oct 21 14:06:54 irisp-asgw-2 charon: 04[ESP] failed to create SAD entry
Oct 21 14:06:54 irisp-asgw-2 charon: 04[ESP] failed to create ESP context: creating iv gen failed
Oct 21 14:06:54 irisp-asgw-2 charon: 04[ESP] failed to create SAD entry
Oct 21 14:06:54 irisp-asgw-2 charon: 04[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel
Oct 21 14:06:54 irisp-asgw-2 charon: 04[IKE] failed to establish CHILD_SA, keeping IKE_SA

This appears to come from around line 279 of src/libipsec/esp_context.c as the table called to return the iv generator does not have one for NULL encryption. Which is what I’d expect for NULL encryption, but I’m, no expert on that level of detail.

The problem is resolved if we enable encryption for ESP but we want to run with NULL.

We have tried it on Debian also (to rule out openssl issues).

We are stuck having to use NULL encryption in this application - StrongSwan is being used solely for ensuring integrity as the data content is not sensitive but needs to be guaranteed also data forensics require easy-to-read content logs!

Peter