Project

General

Profile

Issue #441

aes-gcm > 128bit key giving netlink error

Added by Jason Borden over 6 years ago. Updated over 6 years ago.

Status:
Rejected
Priority:
Normal
Category:
charon
Affected version:
5.1.1
Resolution:
Duplicate

Description

I'm having an issue establishing a site-to-site vpn using aes in gcm mode when using a key size larger than 128 bits. Using two linux servers, kernel 3.10.18 and strongswan 5.1.1.

Working ipsec.conf:

config setup

conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyexchange=ikev2
mobike=no
ike=aes128gcm16-aesxcbc-modp2048
esp=aes128gcm16

conn test
authby=secret
left=172.17.31.106
leftsubnet=192.168.106.0/24
right=172.17.31.107
rightsubnet=192.168.107.0/24
auto=add

If I change it to:
ike=aes192gcm16-aesxcbc-modp2048
esp=aes192gcm16
or
ike=aes256gcm16-aesxcbc-modp2048
esp=aes256gcm16
the CHILD_SA will fail to establish. The node I attempt to connect to will have the following error in its log: charon: 05[KNL] received netlink error: Invalid argument (22) .


Related issues

Is duplicate of Issue #341: aes256gcm on Linux x86_64 and aes-ni processorClosed29.05.2013

History

#1 Updated by Tobias Brunner over 6 years ago

  • Status changed from New to Rejected
  • Assignee set to Tobias Brunner
  • Resolution set to Duplicate

Also available in: Atom PDF