Project

General

Profile

Feature #2172

Not able to use "AES CCM" algorithms with libipsec

Added by Ramya R almost 4 years ago. Updated almost 4 years ago.

Status:
Closed
Priority:
Normal
Category:
charon
Target version:
Start date:
16.11.2016
Due date:
Estimated time:
Resolution:
Fixed

Description

Hi,
I'm using Strongswan version 5.5.0, and have compiled with the command to enable ccm and aes as well.
I can see the plugins being loaded without any error. charon doesn't throw any error while reading the ipsec.conf.
But still I get the following error during "IKE_AUTH".
I had set the encryption method as "aes128ccm16" for "ike" and "esp" in ipsec.conf. It was not throwing any error for IKE, but for ESP the following error is seen.

I tried different options
- enable and disable "kernel libipsec" options.
- use "aes128ccm8" and "aes128ccm64" options. The following logs have been taken for the same .

I'm using strongswan as client(on a different machine) as well, but client software doesn't complain about the same.

Nov 16 12:22:37 localhost charon: 09[IKE] building INTERNAL_IP4_DNS attribute
Nov 16 12:22:37 localhost charon: 09[ESP] failed to create ESP context: unsupported AEAD algorithm AES_CCM_8
Nov 16 12:22:37 localhost charon: 09[ESP] failed to create SAD entry
Nov 16 12:22:37 localhost charon: 09[ESP] failed to create ESP context: unsupported AEAD algorithm AES_CCM_8
Nov 16 12:22:37 localhost charon: 09[ESP] failed to create SAD entry

Linux version
--------------

[root@localhost ~]# uname -r
2.6.32-642.el6.x86_64

Plugins loaded:
------------------

 loaded plugins: charon *aes* kernel-libipsec des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc cmac hmac ctr *ccm* gcm attr kernel-netlink resolve socket-default stroke vici updown eap-identity eap-md5 eap-tls eap-ttls eap-tnc xauth-generic tnc-imv tnc-tnccs tnccs-20

ipsec listall output snapshot
------------------------------

ccm:
    AEAD:AES_CCM_8-16
        CRYPTER:AES_CBC-16
    AEAD:AES_CCM_8-24
        CRYPTER:AES_CBC-24
    AEAD:AES_CCM_8-32
        CRYPTER:AES_CBC-32
    AEAD:AES_CCM_12-16
        CRYPTER:AES_CBC-16
    AEAD:AES_CCM_12-24
        CRYPTER:AES_CBC-24
    AEAD:AES_CCM_12-32
        CRYPTER:AES_CBC-32
    AEAD:AES_CCM_16-16
        CRYPTER:AES_CBC-16
    AEAD:AES_CCM_16-24
        CRYPTER:AES_CBC-24
    AEAD:AES_CCM_16-32
        CRYPTER:AES_CBC-32
    AEAD:CAMELLIA_CCM_8-16 (not loaded)
        CRYPTER:CAMELLIA_CBC-16
    AEAD:CAMELLIA_CCM_8-24 (not loaded)
        CRYPTER:CAMELLIA_CBC-24
    AEAD:CAMELLIA_CCM_8-32 (not loaded)
        CRYPTER:CAMELLIA_CBC-32
    AEAD:CAMELLIA_CCM_12-16 (not loaded)
        CRYPTER:CAMELLIA_CBC-16
    AEAD:CAMELLIA_CCM_12-24 (not loaded)
        CRYPTER:CAMELLIA_CBC-24
    AEAD:CAMELLIA_CCM_12-32 (not loaded)
        CRYPTER:CAMELLIA_CBC-32
    AEAD:CAMELLIA_CCM_16-16 (not loaded)
        CRYPTER:CAMELLIA_CBC-16
    AEAD:CAMELLIA_CCM_16-24 (not loaded)
        CRYPTER:CAMELLIA_CBC-24
    AEAD:CAMELLIA_CCM_16-32 (not loaded)
        CRYPTER:CAMELLIA_CBC-32

ipsec.conf
--------------

## ipsec.conf - strongSwan IPsec configuration file
#
## basic configuration
#
config setup
        # strictcrlpolicy=yes
        # uniqueids = no
        charondebug="ike 4, chd 1, cfg 1, net 1, enc 1, lib 1, mgr 1, knl 1 dmn 1" 

conn home
        left=10.219.4.135
        leftid=secondary_ss_server.com
        leftcert=/etc/data/Cert.pem
        right=10.205.40.100
        rightid=%any
        rightcert=%any
        ike=aes128ccm16-sha1-prfsha1-modp2048!
        esp=aes128ccm8-sha1!
        mobike=no
        ikelifetime=6400s
        lifetime=6000s
        auto=add
        reauth=no
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev2
        authby=pubkey
        dpdaction=none
        leftsubnet=0.0.0.0/0
        rightdns=10.204.4.4
        rightsubnet=10.220.24.6/32
        compress=yes

Please suggest what could be wrong.

Associated revisions

Revision 896d729a (diff)
Added by Tobias Brunner almost 4 years ago

libipsec: Add support for AES and Camellia in CCM mode

Fixes #2172.

History

#1 Updated by Tobias Brunner almost 4 years ago

  • Description updated (diff)
  • Status changed from New to Feedback
  • Priority changed from Urgent to Normal

First, if you consider using kernel-libipsec, please read the notes there. If you can, you should definitely use the kernel's IPsec implementation (i.e. disable kernel-libipsec).

Obviously, the IPsec backend you use has to support AES in CCM mode. So if you are using the kernel's stack make sure the required crypto modules are loaded. If your kernel does not support it you might want to consider using AES-GCM instead, which could have better support.

As for AES-CCM in kernel-libipsec, this is currently not supported (AES-GCM is, though).

#2 Updated by Ramya R almost 4 years ago

Hi,
I have used AES CCM for "ike" in ipsec.conf. It worked well.
i'm seeing this error only when I give use it for "esp" only.
If the kernel is not supporting then it should not have worked for "ike" as well .. am I getting it right ?

How do i find out if CCM is enabled in kernel or not.

#3 Updated by Tobias Brunner almost 4 years ago

If the kernel is not supporting then it should not have worked for "ike" as well .. am I getting it right ?

No, IKE is handled by the charon IKE daemon (strongSwan), while ESP/IPsec is handled by the kernel.

How do i find out if CCM is enabled in kernel or not.

You can check /proc/crypto. And it will complain when you try to install the IPsec SA (something like "function not implemented").

#4 Updated by Ramya R almost 4 years ago

Thanks for the clarifications :)

#5 Updated by Tobias Brunner almost 4 years ago

  • Tracker changed from Issue to Feature
  • Target version set to 5.5.2

By the way, I pushed a patch to the 2172-libipsec-ccm branch that adds support for AES-CCM with kernel-libipsec.

#6 Updated by Tobias Brunner almost 4 years ago

  • Subject changed from Not able to use "AES CCM" algorithms in ipsec encryption. to Not able to use "AES CCM" algorithms with libipsec
  • Status changed from Feedback to Closed
  • Assignee set to Tobias Brunner
  • Resolution set to Fixed

Also available in: Atom PDF