Feature #2172
Updated by Tobias Brunner almost 9 years ago
Hi,
I'm using Strongswan version 5.5.0, and have compiled with the command to enable ccm and aes as well.
I can see the plugins being loaded without any error. charon doesn't throw any error while reading the ipsec.conf.
But still I get the following error during "IKE_AUTH".
I had set the encryption method as "aes128ccm16" for "ike" and "esp" in ipsec.conf. It was not throwing any error for IKE, but for ESP the following error is seen.
I tried different options
- enable and disable "kernel libipsec" options.
- use "aes128ccm8" and "aes128ccm64" options. The following logs have been taken for the same .
I'm using strongswan as client(on a different machine) as well, but client software doesn't complain about the same.
Nov 16 12:22:37 localhost charon: 09[IKE] building INTERNAL_IP4_DNS attribute
Nov 16 12:22:37 localhost charon: 09[ESP] *failed to create ESP context: unsupported AEAD algorithm AES_CCM_8*
Nov 16 12:22:37 localhost charon: 09[ESP] failed to create SAD entry
Nov 16 12:22:37 localhost charon: 09[ESP] failed to create ESP context: unsupported AEAD algorithm AES_CCM_8
Nov 16 12:22:37 localhost charon: 09[ESP] failed to create SAD entry
Linux version
--------------
<pre>
[root@localhost ~]# uname -r
2.6.32-642.el6.x86_64
</pre>
Plugins loaded:
------------------
<pre>
loaded plugins: charon *aes* kernel-libipsec des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc cmac hmac ctr *ccm* gcm attr kernel-netlink resolve socket-default stroke vici updown eap-identity eap-md5 eap-tls eap-ttls eap-tnc xauth-generic tnc-imv tnc-tnccs tnccs-20
</pre>
ipsec listall output snapshot
------------------------------
<pre>
ccm:
AEAD:AES_CCM_8-16
CRYPTER:AES_CBC-16
AEAD:AES_CCM_8-24
CRYPTER:AES_CBC-24
AEAD:AES_CCM_8-32
CRYPTER:AES_CBC-32
AEAD:AES_CCM_12-16
CRYPTER:AES_CBC-16
AEAD:AES_CCM_12-24
CRYPTER:AES_CBC-24
AEAD:AES_CCM_12-32
CRYPTER:AES_CBC-32
AEAD:AES_CCM_16-16
CRYPTER:AES_CBC-16
AEAD:AES_CCM_16-24
CRYPTER:AES_CBC-24
AEAD:AES_CCM_16-32
CRYPTER:AES_CBC-32
AEAD:CAMELLIA_CCM_8-16 (not loaded)
CRYPTER:CAMELLIA_CBC-16
AEAD:CAMELLIA_CCM_8-24 (not loaded)
CRYPTER:CAMELLIA_CBC-24
AEAD:CAMELLIA_CCM_8-32 (not loaded)
CRYPTER:CAMELLIA_CBC-32
AEAD:CAMELLIA_CCM_12-16 (not loaded)
CRYPTER:CAMELLIA_CBC-16
AEAD:CAMELLIA_CCM_12-24 (not loaded)
CRYPTER:CAMELLIA_CBC-24
AEAD:CAMELLIA_CCM_12-32 (not loaded)
CRYPTER:CAMELLIA_CBC-32
AEAD:CAMELLIA_CCM_16-16 (not loaded)
CRYPTER:CAMELLIA_CBC-16
AEAD:CAMELLIA_CCM_16-24 (not loaded)
CRYPTER:CAMELLIA_CBC-24
AEAD:CAMELLIA_CCM_16-32 (not loaded)
CRYPTER:CAMELLIA_CBC-32
</pre>
ipsec.conf
--------------
<pre>
## ipsec.conf - strongSwan IPsec configuration file
#
## basic configuration
#
config setup
# strictcrlpolicy=yes
# uniqueids = no
charondebug="ike 4, chd 1, cfg 1, net 1, enc 1, lib 1, mgr 1, knl 1 dmn 1"
conn home
left=10.219.4.135
leftid=secondary_ss_server.com
leftcert=/etc/data/Cert.pem
right=10.205.40.100
rightid=%any
rightcert=%any
ike=aes128ccm16-sha1-prfsha1-modp2048!
esp=aes128ccm8-sha1!
mobike=no
ikelifetime=6400s
lifetime=6000s
auto=add
reauth=no
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
authby=pubkey
dpdaction=none
leftsubnet=0.0.0.0/0
rightdns=10.204.4.4
rightsubnet=10.220.24.6/32
compress=yes
</pre>
Please suggest what could be wrong.
I'm using Strongswan version 5.5.0, and have compiled with the command to enable ccm and aes as well.
I can see the plugins being loaded without any error. charon doesn't throw any error while reading the ipsec.conf.
But still I get the following error during "IKE_AUTH".
I had set the encryption method as "aes128ccm16" for "ike" and "esp" in ipsec.conf. It was not throwing any error for IKE, but for ESP the following error is seen.
I tried different options
- enable and disable "kernel libipsec" options.
- use "aes128ccm8" and "aes128ccm64" options. The following logs have been taken for the same .
I'm using strongswan as client(on a different machine) as well, but client software doesn't complain about the same.
Nov 16 12:22:37 localhost charon: 09[IKE] building INTERNAL_IP4_DNS attribute
Nov 16 12:22:37 localhost charon: 09[ESP] *failed to create ESP context: unsupported AEAD algorithm AES_CCM_8*
Nov 16 12:22:37 localhost charon: 09[ESP] failed to create SAD entry
Nov 16 12:22:37 localhost charon: 09[ESP] failed to create ESP context: unsupported AEAD algorithm AES_CCM_8
Nov 16 12:22:37 localhost charon: 09[ESP] failed to create SAD entry
Linux version
--------------
<pre>
[root@localhost ~]# uname -r
2.6.32-642.el6.x86_64
</pre>
Plugins loaded:
------------------
<pre>
loaded plugins: charon *aes* kernel-libipsec des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc cmac hmac ctr *ccm* gcm attr kernel-netlink resolve socket-default stroke vici updown eap-identity eap-md5 eap-tls eap-ttls eap-tnc xauth-generic tnc-imv tnc-tnccs tnccs-20
</pre>
ipsec listall output snapshot
------------------------------
<pre>
ccm:
AEAD:AES_CCM_8-16
CRYPTER:AES_CBC-16
AEAD:AES_CCM_8-24
CRYPTER:AES_CBC-24
AEAD:AES_CCM_8-32
CRYPTER:AES_CBC-32
AEAD:AES_CCM_12-16
CRYPTER:AES_CBC-16
AEAD:AES_CCM_12-24
CRYPTER:AES_CBC-24
AEAD:AES_CCM_12-32
CRYPTER:AES_CBC-32
AEAD:AES_CCM_16-16
CRYPTER:AES_CBC-16
AEAD:AES_CCM_16-24
CRYPTER:AES_CBC-24
AEAD:AES_CCM_16-32
CRYPTER:AES_CBC-32
AEAD:CAMELLIA_CCM_8-16 (not loaded)
CRYPTER:CAMELLIA_CBC-16
AEAD:CAMELLIA_CCM_8-24 (not loaded)
CRYPTER:CAMELLIA_CBC-24
AEAD:CAMELLIA_CCM_8-32 (not loaded)
CRYPTER:CAMELLIA_CBC-32
AEAD:CAMELLIA_CCM_12-16 (not loaded)
CRYPTER:CAMELLIA_CBC-16
AEAD:CAMELLIA_CCM_12-24 (not loaded)
CRYPTER:CAMELLIA_CBC-24
AEAD:CAMELLIA_CCM_12-32 (not loaded)
CRYPTER:CAMELLIA_CBC-32
AEAD:CAMELLIA_CCM_16-16 (not loaded)
CRYPTER:CAMELLIA_CBC-16
AEAD:CAMELLIA_CCM_16-24 (not loaded)
CRYPTER:CAMELLIA_CBC-24
AEAD:CAMELLIA_CCM_16-32 (not loaded)
CRYPTER:CAMELLIA_CBC-32
</pre>
ipsec.conf
--------------
<pre>
## ipsec.conf - strongSwan IPsec configuration file
#
## basic configuration
#
config setup
# strictcrlpolicy=yes
# uniqueids = no
charondebug="ike 4, chd 1, cfg 1, net 1, enc 1, lib 1, mgr 1, knl 1 dmn 1"
conn home
left=10.219.4.135
leftid=secondary_ss_server.com
leftcert=/etc/data/Cert.pem
right=10.205.40.100
rightid=%any
rightcert=%any
ike=aes128ccm16-sha1-prfsha1-modp2048!
esp=aes128ccm8-sha1!
mobike=no
ikelifetime=6400s
lifetime=6000s
auto=add
reauth=no
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
authby=pubkey
dpdaction=none
leftsubnet=0.0.0.0/0
rightdns=10.204.4.4
rightsubnet=10.220.24.6/32
compress=yes
</pre>
Please suggest what could be wrong.