Re: [strongSwan] esalg: No test for authenc(hmac(sha1), cbc(aes)) (authenc(hmac(sha1-generic), cbc(aes-generic)))

2009-09-11 Thread Dimitrios Siganos 
I have found out that the message is coming from the linux kernel and 
not from charon as I thought.

It comes from the function:
int alg_test(const char *driver, const char *alg, u32 type, u32 mask)

I still don't know if it something to worry about though.

Regards,
Dimitrios Siganos

Dimitrios Siganos wrote:
 Hi,

 I am getting the message:
 esalg: No test for authenc(hmac(sha1),cbc(aes)) 
 (authenc(hmac(sha1-generic),cbc(aes-generic)))
 when I bring up a tunnel. The tunnel is established.

 I am using strongswan with openssl instead of libgmp. I believe (but I 
 am not sure, I can check if you like) that I wasn't getting this message 
 when I was using libgmp.

 I would like to know what this message means. And if it is something I 
 should worry about.

 Later on, after a period of inactivity, of 30 min to 1 hour, the tunnel 
 fails, one direction first and then eventually both directions. I will 
 provide more details on that problem separately. I just wanted to know 
 if this message is an early hint of a problem.

 The complete output from charon follows:
 # ipsec up test
 initiating IKE_SA test[1] to 10.224.2.100
 generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
 sending packet: from 10.224.2.101[500] to 10.224.2.100[500]
 received packet: from 10.224.2.100[500] to 10.224.2.101[500]
 parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) 
 CERTREQ N(MULT_AUTH) ]
 received cert request for C=AU, ST=Some-State, L=London, O=Internet 
 Widgits Pty Ltd, CN=west
 received cert request for C=AU, ST=Some-State, L=London, O=Internet 
 Widgits Pty Ltd, CN=east
 sending cert request for C=UK, ST=Cambridgeshire, L=Cambridge, 
 O=Airvana INC, OU=TR069, CN=Airvana CA, e=airvana...@airvana.com
 sending cert request for C=AU, ST=Some-State, L=London, O=Internet 
 Widgits Pty Ltd, CN=east
 sending cert request for C=AU, ST=Some-State, L=London, O=Internet 
 Widgits Pty Ltd, CN=west
 authentication of 'C=AU, ST=Some-State, L=London, O=Internet Widgits Pty 
 Ltd, CN=east' (myself) with RSA signature successful
 sending end entity cert C=AU, ST=Some-State, L=London, O=Internet 
 Widgits Pty Ltd, CN=east
 esalg: No test for authenc(hmac(sha1),cbc(aes)) 
 (authenc(hmac(sha1-generic),cbc(aes-generic)))
 tablishing CHILD_SA test
 generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH SA TSi TSr 
 N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) ]
 sending packet: from 10.224.2.101[4500] to 10.224.2.100[4500]
 received packet: from 10.224.2.100[4500] to 10.224.2.101[4500]
 parsed IKE_AUTH response 1 [ IDr CERT AUTH SA TSi TSr N(AUTH_LFT) 
 N(MOBIKE_SUP) N(ADD_4_ADDR) ]
 received end entity cert C=AU, ST=Some-State, L=London, O=Internet 
 Widgits Pty Ltd, CN=west
   using trusted certificate C=AU, ST=Some-State, L=London, O=Internet 
 Widgits Pty Ltd, CN=west
 authentication of 'C=AU, ST=Some-State, L=London, O=Internet Widgits Pty 
 Ltd, CN=west' with RSA signature successful
 scheduling reauthentication in 3351s
 maximum IKE_SA lifetime 3531s
 IKE_SA test[1] established between 10.224.2.101[C=AU, ST=Some-State, 
 L=London, O=Internet Widgits Pty Ltd, CN=east]...10.224.2.100[C=AU, 
 ST=Some-State, L=London, O=Internet Widgits Pty Ltd, CN=west]

 Regards,
 Dimitrios Siganos
 ___
 Users mailing list
 Users@lists.strongswan.org
 https://lists.strongswan.org/mailman/listinfo/users
   

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] MODP_2048?

2009-09-11 Thread Yong Choo 
Thank you!
I will look into my build area and the target board.

-Yong Choo

Andreas Steffen wrote:
 Hi,
 the error message:

   
 *configured DH group MODP_2048 not supported*
 

 means that neither the gmp nor the openssl plugin could be
 loaded successfully which implement the big number arithmetic
 required for the Diffie-Hellman groups.

 The command ipsec statusall should list either gmp and|or opensss in
 the line

   loaded plugins: 

 and the command ipsec listalgs should list all Diffie Hellman groups:

   dh-group:   MODP_2048 MODP_1536 MODP_3072 MODP_4096 MODP_6144
   MODP_8192 MODP_1024 MODP_768

 with the gmp plugin plus

  ECP_192 ECP_224 ECP_256 ECP_384 ECP_521

 with the openssl plugin.

 By default strongSwan compiles and loads the gmp plugin which in turn
 requires the GNU Multiprecision library (libgmp3) including the header
 file /usr/include/gmp.h.

 Alternatively you can activate the openssl plugin (./configure
 --enable-openssl) which requires the libcrypto-0.9.8 library plus the
 /usr/include/openssl/ header files.

 Best regards

 Andreas

 Yong Choo wrote:
   
 Hi all,

 I'm trying to 'execute' the following (on a cross-compiled PowerPC 
 Linux  for a telecommunication board):
 ipsec up net-enb40 (where I have the connectivity setup in the ipsec.config)

 I'm getting the following error:
 *configured DH group MODP_2048 not supported*

 I think I'm missing a kernel option?. We are using Wind River Linux 
 PNE2.0 version.
 Does anyone know how to turn this 'MODP_2048' on?

 Thanks Much!
 

 ==
 Andreas Steffen andreas.stef...@strongswan.org
 strongSwan - the Linux VPN Solution!www.strongswan.org
 Institute for Internet Technologies and Applications
 University of Applied Sciences Rapperswil
 CH-8640 Rapperswil (Switzerland)
 ===[ITA-HSR]==
   

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users