Project

General

Profile

Issue #515

ECDH not loading

Added by Jim Smith over 8 years ago. Updated over 6 years ago.

Status:
Closed
Priority:
Normal
Category:
build
Affected version:
5.1.1
Resolution:
No change required

Description

Has anyone seen this error StrongSwan 5.1 not recognizing OpenSSL FIPS ECDH plugin? We have set up a StrongSwan server and are trying to implement ECDH and we get an error that it is not loading.

History

#1 Updated by Andreas Steffen over 8 years ago

  • Status changed from New to Feedback
  • Assignee set to Andreas Steffen

Hi Jim,
please post the actual error messages written to the strongSwan log file. Setting charondebug="lib 2" will help us to diagnose the problem.

Regards

Andreas

#2 Updated by Jim Smith over 8 years ago

Andreas,

Thank you very much for getting back to me. Below is the problem that we are incurring.

Compiled OpenSSL With ECDH FIPS

[root@ip-172-31-29-208 strongswan-5.1.2dr3]# openssl ec
read EC key

SO ECDH is correct in OpenSSL

STRONGSWAN CONFIG
./configure --prefix=/usr --sysconfdir=/etc --enable-attr-sql --with-fips-mode=1 --enable-eap-identity --enable-eap-mschapv2 --enable-md4 --enable-farp --enable-openssl --enable-eap-radius --enable-xauth-eap --disable-gmp

make clean
make
sudo make install

********No OpenSSL PlugIn Loaded**********************

[root@ip-172-31-29-208 strongswan-5.1.2dr3]# ipsec statusall
Status of IKE charon daemon (strongSwan 5.1.2dr3, Linux 2.6.32-358.14.1.el6.x86_64, x86_64):
uptime: 25 seconds, since Feb 13 17:53:26 2014
malloc: sbrk 270336, mmap 0, used 218832, free 51504
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
loaded plugins: charon aes des rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf xcbc cmac hmac attr kernel-netlink resolve socket-default farp stroke updown eap-identity eap-mschapv2 eap-radius xauth-generic xauth-eap
Virtual IP pools (size/online/offline):
10.200.2.128/24: 254/0/0
Listening IP addresses:
172.31.29.208
Connections:
Android: %any...%any IKEv2, dpddelay=10s
Android: local: [54.199.194.49] uses public key authentication
Android: remote: uses public key authentication
Android: remote: uses EAP_MSCHAPV2 authentication with EAP identity '%any'
Android: child: dynamic === dynamic TUNNEL, dpdaction=clear
rw-xauth_IOS: %any...%any IKEv1, dpddelay=10s
rw-xauth_IOS: local: [54.199.194.49] uses public key authentication
rw-xauth_IOS: remote: uses public key authentication
rw-xauth_IOS: remote: uses XAuth authentication: any
rw-xauth_IOS: child: dynamic === dynamic TUNNEL, dpdaction=clear
Security Associations (0 up, 0 connecting):

Thanks you very much,
Patrick

#3 Updated by Andreas Steffen over 8 years ago

There must be a reason why the openssl plugin is not loaded:

1) Is the dynamic library libstrongswan-openssl.so present in the /usr/lib/ipsec/plugins/ directory or wherever you installed your strongSwan libraries to?

2) If yes, does ldd /usr/lib/ipsec/plugins/libstrongswan-openssl.so show that libcrypto.so.1.0.0 could be linked and if yes points to the correct openssl-fips library (just compare with the path returned by ldd /usr/bin/openssl)

3) If yes, have a look at the strongSwan log. Depending on the Linux distribution either /var/log/syslog, /var/log/messages, /var/log/secure or /var/log/daemon.log (If in doubt execute grep charon /var/log/*). With the debug level charondebug="lib 2" the log should show the loading of all plugins with additional error messages if the plugin could not be successfully loaded.

Regards Andreas

#4 Updated by Jim Smith over 8 years ago

Here is what we have on your questions. What are we missing? Thanks again, Patrick and Jim,

locate libstrongswan-openssl.so

/root/strongswan-5.1.2dr3/src/libstrongswan/plugins/openssl/.libs/libstrongswan-openssl.so

/usr/lib/ipsec/plugins/libstrongswan-openssl.so

[root@ip-172-31-29-208 ~]# ldd /usr/lib/ipsec/plugins/libstrongswan-openssl.so
linux-vdso.so.1 => (0x00007fff7a1ff000)
libcrypto.so.10 => /usr/lib64/libcrypto.so.10 (0x00007f05c7ddb000)
libc.so.6 => /lib64/libc.so.6 (0x00007f05c7a47000)
libdl.so.2 => /lib64/libdl.so.2 (0x00007f05c7842000)
libz.so.1 => /lib64/libz.so.1 (0x00007f05c762c000)
/lib64/ld-linux-x86-64.so.2 (0x0000003e76200000)
[
root@ip-172-31-29-208 ~]# ldd /usr/bin/openssl
linux-vdso.so.1 => (0x00007fff317ff000)
libssl.so.10 => /usr/lib64/libssl.so.10 (0x0000003454200000)
libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 (0x0000003453e00000)
libkrb5.so.3 => /lib64/libkrb5.so.3 (0x0000003452e00000)
libcom_err.so.2 => /lib64/libcom_err.so.2 (0x0000003452a00000)
libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x0000003453200000)
libcrypto.so.10 => /usr/lib64/libcrypto.so.10 (0x0000003453a00000)
libdl.so.2 => /lib64/libdl.so.2 (0x0000003e76600000)
libz.so.1 => /lib64/libz.so.1 (0x0000003e77600000)
libc.so.6 => /lib64/libc.so.6 (0x0000003e76a00000)
libkrb5support.so.0 => /lib64/libkrb5support.so.0 (0x0000003453600000)
libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x0000003e7c200000)
libresolv.so.2 => /lib64/libresolv.so.2 (0x0000003e78600000)
libpthread.so.0 => /lib64/libpthread.so.0 (0x0000003e76e00000)
/lib64/ld-linux-x86-64.so.2 (0x0000003e76200000)
libselinux.so.1 => /lib64/libselinux.so.1 (0x0000003e78200000)

CHARON LOG
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.1.2dr3, Linux 2.6.32-358.14.1.el6.x86_64, x86_64)
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[LIB] plugin 'aes': loaded successfully
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[LIB] plugin 'des': loaded successfully
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[LIB] plugin 'rc2': loaded successfully
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[LIB] plugin 'sha1': loaded successfully
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[LIB] plugin 'sha2': loaded successfully
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[LIB] plugin 'md4': loaded successfully
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[LIB] plugin 'md5': loaded successfully
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[LIB] plugin 'random': loaded successfully
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[LIB] plugin 'nonce': loaded successfully
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[LIB] plugin 'x509': loaded successfully
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[LIB] plugin 'revocation': loaded successfully
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[LIB] plugin 'constraints': loaded successfully
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[LIB] plugin 'pubkey': loaded successfully
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[LIB] plugin 'pkcs1': loaded successfully
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[LIB] plugin 'pkcs7': loaded successfully
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[LIB] plugin 'pkcs8': loaded successfully
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[LIB] plugin 'pkcs12': loaded successfully
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[LIB] plugin 'pgp': loaded successfully
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[LIB] plugin 'dnskey': loaded successfully
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[LIB] plugin 'sshkey': loaded successfully
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[LIB] plugin 'pem': loaded successfully
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[LIB] unable to set openssl FIPS mode(1)
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[LIB] plugin 'openssl': failed to load - openssl_plugin_create returned NULL
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[LIB] plugin 'fips-prf': loaded successfully
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[LIB] plugin 'xcbc': loaded successfully
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[LIB] plugin 'cmac': loaded successfully
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[LIB] plugin 'hmac': loaded successfully
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[LIB] plugin 'attr': loaded successfully
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[LIB] plugin 'attr-sql': loaded successfully
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[LIB] plugin 'kernel-netlink': loaded successfully
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[LIB] plugin 'resolve': loaded successfully
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[LIB] plugin 'socket-default': loaded successfully
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[LIB] plugin 'farp': loaded successfully
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[LIB] plugin 'stroke': loaded successfully
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[LIB] plugin 'updown': loaded successfully
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[LIB] plugin 'eap-identity': loaded successfully
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[LIB] plugin 'eap-mschapv2': loaded successfully
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[LIB] plugin 'eap-radius': loaded successfully
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[LIB] plugin 'xauth-generic': loaded successfully
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[LIB] plugin 'xauth-eap': loaded successfully
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[LIB] feature PUBKEY:ECDSA in plugin 'pem' has unmet dependency: PUBKEY:ECDSA
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[LIB] feature PUBKEY:DSA in plugin 'pem' has unmet dependency: PUBKEY:DSA
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[LIB] feature PRIVKEY:DSA in plugin 'pem' has unmet dependency: PRIVKEY:DSA
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[LIB] feature CERT_DECODE:X509_OCSP_REQUEST in plugin 'pem' has unmet dependency: CERT_DECODE:X509_OCSP_REQUEST
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[LIB] feature PRF:PRF_CAMELLIA128_XCBC in plugin 'xcbc' has unmet dependency: CRYPTER:CAMELLIA_CBC-16
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[LIB] feature SIGNER:CAMELLIA_XCBC_96 in plugin 'xcbc' has unmet dependency: CRYPTER:CAMELLIA_CBC-16
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[LIB] feature CUSTOM:attr-sql in plugin 'attr-sql' has unmet dependency: DATABASE:any
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[LIB] building CRED_CERTIFICATE - X509 failed, tried 3 builders
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[CFG] loading ca certificate from '/etc/ipsec.d/cacerts/caCert.pem' failed
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[LIB] building CRED_PRIVATE_KEY - RSA failed, tried 4 builders
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[CFG] loading private key from '/etc/ipsec.d/private/serverKey.pem' failed
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[CFG] loaded EAP secret for davidc
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[CFG] loaded EAP secret for GreenMachine
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[CFG] loaded EAP secret for MobileDataCenter
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[CFG] loaded EAP secret for androidnew
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[CFG] loaded EAP secret for android
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[CFG] loaded EAP secret for galaxy_tab
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[CFG] loaded EAP secret for ipad5cert
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[CFG] loaded EAP secret for osxcert
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[CFG] loaded EAP secret for galaxy
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[CFG] loaded EAP secret for galaxyeap
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[CFG] loaded EAP secret for androideap
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[CFG] loaded EAP secret for matt
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[CFG] loaded EAP secret for patrick
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[CFG] loaded EAP secret for adriennepad
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[CFG] loaded EAP secret for galaxy_old
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[CFG] loaded EAP secret for fscottyeager1
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[CFG] loaded EAP secret for fscottyeager2
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[CFG] loaded EAP secret for seanshaub
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[CFG] loaded EAP secret for androidatt
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[CFG] loaded EAP secret for adrienneiphone
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[CFG] loaded EAP secret for cookie
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[CFG] loaded EAP secret for androideap2
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[CFG] loaded EAP secret for pgalaxy
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[CFG] loaded EAP secret for Chuck
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[CFG] loaded EAP secret for Chuck2
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[CFG] loaded EAP secret for mark1
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[CFG] loaded EAP secret for mark2
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[CFG] loaded EAP secret for iphonec5
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[CFG] loaded EAP secret for patphone
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[CFG] loaded EAP secret for Scott_Android
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[CFG] loaded EAP secret for syncdog1
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[CFG] loaded EAP secret for syncdog2
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[CFG] loaded EAP secret for syncdog3
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[CFG] loaded EAP secret for syncdog4
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[CFG] loaded EAP secret for massoud
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[CFG] loaded EAP secret for wonderboy
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[CFG] loaded EAP secret for sig1
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[CFG] loaded EAP secret for sig2
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[CFG] loaded EAP secret for robmac
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[CFG] loaded EAP secret for ash
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[CFG] loaded EAP secret for sam
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[CFG] loaded EAP secret for dj
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[CFG] loaded EAP secret for rose
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[CFG] loaded EAP secret for fred
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[CFG] loaded EAP secret for rob
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[CFG] loaded EAP secret for barry
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[CFG] loaded EAP secret for systemone
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[CFG] loaded EAP secret for systemtwo
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[CFG] loaded 0 RADIUS server configurations
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[LIB] unloading plugin 'attr-sql' without loaded features
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[LIB] loaded plugins: charon aes des rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf xcbc cmac hmac attr kernel-netlink resolve socket-default farp stroke updown eap-identity eap-mschapv2 eap-radius xauth-generic xauth-eap
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[LIB] unable to load 7 plugin features (7 due to unmet dependencies)
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[JOB] spawning 16 worker threads
Feb 13 18:24:48 ip-172-31-29-208 charon: 01[LIB] created thread 01 [26507]
Feb 13 18:24:48 ip-172-31-29-208 charon: 02[LIB] created thread 02 [26508]
Feb 13 18:24:48 ip-172-31-29-208 charon: 03[LIB] created thread 03 [26509]
Feb 13 18:24:48 ip-172-31-29-208 charon: 08[LIB] created thread 08 [26514]
Feb 13 18:24:48 ip-172-31-29-208 charon: 05[LIB] created thread 05 [26511]
Feb 13 18:24:48 ip-172-31-29-208 charon: 06[LIB] created thread 06 [26512]
Feb 13 18:24:48 ip-172-31-29-208 charon: 07[LIB] created thread 07 [26513]
Feb 13 18:24:48 ip-172-31-29-208 charon: 04[LIB] created thread 04 [26510]
Feb 13 18:24:48 ip-172-31-29-208 charon: 16[LIB] created thread 16 [26522]
Feb 13 18:24:48 ip-172-31-29-208 charon: 10[LIB] created thread 10 [26516]
Feb 13 18:24:48 ip-172-31-29-208 charon: 11[LIB] created thread 11 [26517]
Feb 13 18:24:48 ip-172-31-29-208 charon: 12[LIB] created thread 12 [26518]
Feb 13 18:24:48 ip-172-31-29-208 charon: 13[LIB] created thread 13 [26519]
Feb 13 18:24:48 ip-172-31-29-208 charon: 14[LIB] created thread 14 [26520]
Feb 13 18:24:48 ip-172-31-29-208 charon: 15[LIB] created thread 15 [26521]
Feb 13 18:24:48 ip-172-31-29-208 charon: 09[LIB] created thread 09 [26515]
Feb 13 18:24:48 ip-172-31-29-208 charon: 08[CFG] received stroke: add connection 'Android'
Feb 13 18:24:48 ip-172-31-29-208 charon: 08[CFG] left nor right host is our side, assuming left=local
Feb 13 18:24:48 ip-172-31-29-208 charon: 08[CFG] adding virtual IP address pool 10.200.2.128/24
Feb 13 18:24:48 ip-172-31-29-208 charon: 08[LIB] building CRED_CERTIFICATE - ANY failed, tried 1 builders
Feb 13 18:24:48 ip-172-31-29-208 charon: 08[CFG] loading certificate from 'serverCert.pem' failed
Feb 13 18:24:48 ip-172-31-29-208 charon: 08[CFG] added configuration 'Android'
Feb 13 18:24:48 ip-172-31-29-208 charon: 06[CFG] received stroke: add connection 'rw-xauth_IOS'
Feb 13 18:24:48 ip-172-31-29-208 charon: 06[CFG] left nor right host is our side, assuming left=local
Feb 13 18:24:48 ip-172-31-29-208 charon: 06[CFG] reusing virtual IP address pool 10.200.2.128/24
Feb 13 18:24:48 ip-172-31-29-208 charon: 06[LIB] building CRED_CERTIFICATE - ANY failed, tried 1 builders
Feb 13 18:24:48 ip-172-31-29-208 charon: 06[CFG] loading certificate from 'serverCert.pem' failed
Feb 13 18:24:48 ip-172-31-29-208 charon: 06[CFG] added configuration 'rw-xauth_IOS'
Feb 13 18:24:59 ip-172-31-29-208 charon: 16[NET] received packet: from 173.79.79.7039470 to 172.31.29.208500 (660 bytes)
Feb 13 18:24:59 ip-172-31-29-208 charon: 16[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Feb 13 18:24:59 ip-172-31-29-208 charon: 16[IKE] 173.79.79.70 is initiating an IKE_SA
Feb 13 18:24:59 ip-172-31-29-208 charon: 16[IKE] local host is behind NAT, sending keep alives
Feb 13 18:24:59 ip-172-31-29-208 charon: 16[IKE] remote host is behind NAT
Feb 13 18:24:59 ip-172-31-29-208 charon: 16[IKE] DH group MODP_1024 inacceptable, requesting ECP_256
Feb 13 18:24:59 ip-172-31-29-208 charon: 16[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Feb 13 18:24:59 ip-172-31-29-208 charon: 16[NET] sending packet: from 172.31.29.208500 to 173.79.79.7039470 (38 bytes)
Feb 13 18:24:59 ip-172-31-29-208 charon: 10[NET] received packet: from 173.79.79.7039470 to 172.31.29.208500 (596 bytes)
Feb 13 18:24:59 ip-172-31-29-208 charon: 10[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Feb 13 18:24:59 ip-172-31-29-208 charon: 10[IKE] 173.79.79.70 is initiating an IKE_SA
Feb 13 18:24:59 ip-172-31-29-208 charon: 10[IKE] local host is behind NAT, sending keep alives
Feb 13 18:24:59 ip-172-31-29-208 charon: 10[IKE] remote host is behind NAT
Feb 13 18:24:59 ip-172-31-29-208 charon: 10[IKE] DH group ECP_256 inacceptable, requesting ECP_256
Feb 13 18:24:59 ip-172-31-29-208 charon: 10[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Feb 13 18:24:59 ip-172-31-29-208 charon: 10[NET] sending packet: from 172.31.29.208500 to 173.79.79.7039470 (38 bytes)
Feb 13 18:24:59 ip-172-31-29-208 charon: 11[NET] received packet: from 173.79.79.7039470 to 172.31.29.208500 (596 bytes)
Feb 13 18:24:59 ip-172-31-29-208 charon: 11[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Feb 13 18:24:59 ip-172-31-29-208 charon: 11[IKE] 173.79.79.70 is initiating an IKE_SA
Feb 13 18:24:59 ip-172-31-29-208 charon: 11[IKE] local host is behind NAT, sending keep alives
Feb 13 18:24:59 ip-172-31-29-208 charon: 11[IKE] remote host is behind NAT
Feb 13 18:24:59 ip-172-31-29-208 charon: 11[IKE] DH group ECP_256 inacceptable, requesting ECP_256
Feb 13 18:24:59 ip-172-31-29-208 charon: 11[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Feb 13 18:24:59 ip-172-31-29-208 charon: 11[NET] sending packet: from 172.31.29.208500 to 173.79.79.7039470 (38 bytes)
Feb 13 18:25:00 ip-172-31-29-208 charon: 12[NET] received packet: from 173.79.79.7039470 to 172.31.29.208500 (596 bytes)
Feb 13 18:25:00 ip-172-31-29-208 charon: 12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Feb 13 18:25:00 ip-172-31-29-208 charon: 12[IKE] 173.79.79.70 is initiating an IKE_SA
Feb 13 18:25:00 ip-172-31-29-208 charon: 12[IKE] local host is behind NAT, sending keep alives
Feb 13 18:25:00 ip-172-31-29-208 charon: 12[IKE] remote host is behind NAT
Feb 13 18:25:00 ip-172-31-29-208 charon: 12[IKE] DH group ECP_256 inacceptable, requesting ECP_256
Feb 13 18:25:00 ip-172-31-29-208 charon: 12[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Feb 13 18:25:00 ip-172-31-29-208 charon: 12[NET] sending packet: from 172.31.29.208500 to 173.79.79.7039470 (38 bytes)
Feb 13 18:25:00 ip-172-31-29-208 charon: 13[NET] received packet: from 173.79.79.7039470 to 172.31.29.208500 (596 bytes)
Feb 13 18:25:00 ip-172-31-29-208 charon: 13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Feb 13 18:25:00 ip-172-31-29-208 charon: 13[IKE] 173.79.79.70 is initiating an IKE_SA
Feb 13 18:25:00 ip-172-31-29-208 charon: 13[IKE] local host is behind NAT, sending keep alives
Feb 13 18:25:00 ip-172-31-29-208 charon: 13[IKE] remote host is behind NAT
Feb 13 18:25:00 ip-172-31-29-208 charon: 13[IKE] DH group ECP_256 inacceptable, requesting ECP_256
Feb 13 18:25:00 ip-172-31-29-208 charon: 13[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Feb 13 18:25:00 ip-172-31-29-208 charon: 13[NET] sending packet: from 172.31.29.208500 to 173.79.79.7039470 (38 bytes)

#5 Updated by Andreas Steffen over 8 years ago

Hmmm, the actual error message is

Feb 13 18:24:48 ip-172-31-29-208 charon: 00[LIB] unable to set openssl FIPS mode(1)
Feb 13 18:24:48 ip-172-31-29-208 charon: 00[LIB] plugin 'openssl': failed to load - openssl_plugin_create returned NULL

The following code snippet in the strongSwan openssl plugin tests the openssl library for FIPS-140-2 conformance:

    fips_mode = lib->settings->get_int(lib->settings, "%s.plugins.openssl.fips_mode", FIPS_MODE, lib->ns);

#ifdef OPENSSL_FIPS
    if (fips_mode)
    {
        if (!FIPS_mode_set(fips_mode))
        {
            DBG1(DBG_LIB, "unable to set openssl FIPS mode(%d)", fips_mode);
            return NULL;
        }
    }
#else
    if (fips_mode)
    {
    DBG1(DBG_LIB, "openssl FIPS mode(%d) unavailable", fips_mode);
    return NULL;
    }
#endif

Thus it seems that the OPENSSL_FIPS variable is set by the openssl library but that FIPS_mode_set(1) fails. Does the openssl plugin load if you disable FIPS mode in /etc/strongswan.conf?
  libstrongswan {
    plugins {
      openssl {
        fips_mode = 0
     }
   }
}

#6 Updated by Jim Smith over 8 years ago

Hi Andreas,

Well that did the trick. It loaded it. So the FIPS Self Check is causing the problem. Should I look into the FIPS canister compilation or is there something else? Also, the library is libcrypto.so.10 not libcrypto.so.1.0.0 as suggested in your earlier post.

Thanks

#7 Updated by Andreas Steffen over 8 years ago

Yes, my only guess is that the openssl-fips library was not built correctly. From our Suite B software regression test scenario http://www.strongswan.org/uml/testresults5dr/openssl-ikev2/rw-suite-b-128/carol.daemon.log I know that strongSwan works nicely with openssl-fips.

Concerning the different numbering of the libcrypto library, I think this depends on the Linux distribution used.
In my case the host is Ubuntu 13.10 x86_64. Our KVM guests use Debian 7.0 with openssl-fips and the version is also libcrypto.so.1.0.0.

Kind regards

Andreas

#8 Updated by Jim Smith over 8 years ago

Andreas,

Thank you so much for your prompt attention. We really appreciate your efforts.

Jim

#9 Updated by Jim Smith over 8 years ago

Hi Andreas,

I am trying to get the openssl-fips with ECDH library to build correctly. Can you point me in the right direction? I checked to make sure that it was not trying to load it twice. That does not seem to be the problem. I am current using the https://www.openssl.org/docs/fips/SecurityPolicy-2.0.pdf page 24 as the build process with no success.

Thank You,
Jim

#10 Updated by Tobias Brunner over 6 years ago

  • Category set to build
  • Status changed from Feedback to Closed
  • Resolution set to No change required

Closing some old issues. If this is still a problem, please reopen.

Also available in: Atom PDF