Re: [strongSwan] configured DH group CURVE_25519 not supported

[Gyula Kovács]

Hi All,

Thank you for your time and help.
Based on your ideas / advices, I checked the SW deployment on the target 
and found that libstrongswan-curve25519.so was missing from 
/usr/lib/ipsec/plugins/ directory.

So, I had a simple deployment (more precisely: bitbake recipe) error.
After fixing the recipe, the target worked again.
So the problem is solved. Thank you again.

Best regards,
Gyula

Re: [strongSwan] NixOS test

[Bas van Dijk]

The test now succeeds[1].

Thanks for your help.

Bas

[1] https://groups.google.com/d/msg/nix-devel/X-0T97MLR7I/cGUCWjXQAAAJ

On 30 August 2017 at 02:57, Bas van Dijk  wrote:
> On 30 August 2017 at 02:29, Noel Kuntze
>  wrote:
>> Two things:
>> - Please don't pipe stuff from the web into bash, it just asks for trouble 
>> and especially don't advertise or advise people to do it.
>
> Hi Noel, good point. This should probably be removed from nixos.org/nix.
>
>> - Try enforcing UDP encapsulation. If the FW rules actually change 
>> something, then currently only IKE is allowed, but there's no NAT, so ESP is 
>> used as transport protocol.
>
> Something similar was suggested[1] on the nix-devel mailinglist. I
> will see how to get that to work.
>
> Bas
>
> [1] https://groups.google.com/forum/#!msg/nix-devel/X-0T97MLR7I/jbPQucPOAAAJ
>
>> Kind regards
>>
>> Noel
>>
>> On 30.08.2017 02:18, Bas van Dijk wrote:
>>> I've created a PR for the NixOS Linux distribution that adds a module
>>> for strongswan-swanctl:
>>>
>>>   https://github.com/NixOS/nixpkgs/pull/27958
>>>
>>> Although the new module works on our company VPN I would also like to
>>> add a NixOS test to ensure it keeps working. I've mimicked one of the
>>> swanctl tests from the strongswan project:
>>>
>>>   
>>> https://github.com/LumiGuide/nixpkgs/blob/strongswan-swanctl-test/nixos/tests/strongswan-swanctl.nix
>>>
>>> Although SAs get established successfully between gateway moon and
>>> roadwarrior carol I can't seem to ping alice from carol. Since I'm no
>>> networking expert I'm probably missing something obvious. It would be
>>> great if somebody could give me a tip or point me in the right
>>> direction.
>>>
>>> To run the test for yourself you don't need to install NixOS, you only
>>> need the Nix package manager (which is easy to uninstall later on;
>>> just rm -r /nix):
>>>
>>>   $ curl https://nixos.org/nix/install | sh
>>>
>>> Then clone my nixpkgs fork and checkout the right branch:
>>>
>>>   $ git clone https://github.com/LumiGuide/nixpkgs.git
>>>   $ cd nixpkgs
>>>   $ git checkout strongswan-swanctl-test
>>>
>>> Look in nixos/tests/strongswan-swanctl.nix to see how to run the test
>>> but the following should get you started:
>>>
>>>   $ nix-build nixos/tests/strongswan-swanctl.nix
>>>
>>> Note that I also asked this question on the nix-devel mailinglist:
>>>
>>>   https://groups.google.com/forum/#!topic/nix-devel/X-0T97MLR7I
>>>
>>> Cheers,
>>>
>>> Bas
>>

Re: [strongSwan] configured DH group CURVE_25519 not supported

[Tobias Brunner]

Hi Gyula,

> First, without --disable-curve25519, which means that the plugin is
> enabled (https://wiki.strongswan.org/projects/strongswan/wiki/Autoconf).
> After that, I added --disable-curve25519 to ./configure options.

Also note that you might need to run `make clean` first after you
changed the configure options.  Then make sure the plugin is actually
built, installed, and loaded at runtime (log or `ipsec statusall`).

You can also change the IKE proposal (`ike` keyword in ipsec.conf) so
curve25519 is not used.

Regards,
Tobias

Re: [strongSwan] configured DH group CURVE_25519 not supported

[Levente]

What about explicit --enable-curve25519 ?

Lev

On Wed, Aug 30, 2017 at 10:54 AM, Gyula Kovács
 wrote:
> Hi Eric,
>
> I tried both variants.
> First, without --disable-curve25519, which means that the plugin is enabled
> (https://wiki.strongswan.org/projects/strongswan/wiki/Autoconf).
> After that, I added --disable-curve25519 to ./configure options.
> But both builds produced the same error message.
>
> Best regards,
> Gyula
>

Re: [strongSwan] configured DH group CURVE_25519 not supported

[Gyula Kovács]

Hi Eric,

I tried both variants.
First, without --disable-curve25519, which means that the plugin is 
enabled (https://wiki.strongswan.org/projects/strongswan/wiki/Autoconf).

After that, I added --disable-curve25519 to ./configure options.
But both builds produced the same error message.

Best regards,
Gyula

Re: [strongSwan] configured DH group CURVE_25519 not supported

[Eric Germann]

You want --disable-curve25519 to be --enable-curve25519

EKG

> On Aug 30, 2017, at 4:24 AM, Gyula Kovács  
> wrote:
> 
> Hi All,
> 
> I've just updated strongSwan from 5.5.1 to 5.6.0.
> After the update, I got the "configured DH group CURVE_25519 not supported" 
> error message.
> The target was working fine before the update, the configuration files were 
> not changed during the update.
> I found some information on the internet, so I know that Curve25519 support 
> was introduced in 5.5.2.
> I checked the build configuration options, and disabled the curve25519 
> support (--disable-curve25519), but it did not help.
> I have no idea what might cause the problem.
> Any help would be appreciated.
> 
> Best regards,
> Gyula Kovacs
> 
> I added the technical details here.
> 
> Target system:
> - Linux 3.18.31 #1 PREEMPT Tue Aug 29 12:27:09 CEST 2017 armv7l GNU/Linux
> - OpenSSL 1.0.2l  25 May 2017
> - strongSwan configuration options:
>   --build=x86_64-linux --host=arm-oe-linux-gnueabi 
> --target=arm-oe-linux-gnueabi
>   --prefix=/usr --exec_prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin
>   --libexecdir=/usr/lib/strongswan --datadir=/usr/share --sysconfdir=/etc
>   --sharedstatedir=/com --localstatedir=/var --libdir=/usr/lib 
> --includedir=/usr/include
>   --oldincludedir=/usr/include --infodir=/usr/share/info 
> --mandir=/usr/share/man
>   --disable-silent-rules --disable-dependency-tracking 
> --with-libtool-sysroot=/oe-core/build/tmp-glibc/sysroots/
>   --without-lib-prefix --without-systemdsystemunitdir --disable-aesni 
> --enable-charon --enable-curl --disable-curve25519
>   --enable-gmp --disable-ldap --disable-mysql --enable-openssl 
> --disable-scepclient --disable-soup --enable-sqlite
>   --enable-stroke --disable-swanctl --disable-systemd
> 
> Opponent:
> - Linux 3.16.0-4-586 #1 Debian 3.16.43-2 (2017-04-30) i686 GNU/Linux
> - OpenSSL 1.0.1t  3 May 2016
> - strongSwan configuration options:
>   ./configure --prefix=/usr --sysconfdir=/etc --disable-curve25519
> 
> Error message:
> root@mdm9640:~# ipsec up host-host-psk-lan
> initiating IKE_SA host-host-psk-lan[1] to 160.48.99.124
> configured DH group CURVE_25519 not supported
> tried to checkin and delete nonexisting IKE_SA
> establishing connection 'host-host-psk-lan' failed
> root@mdm9640:~#
> 
> root@mdm9640:~# ipsec statusall
> Status of IKE charon daemon (strongSwan 5.6.0, Linux 3.18.31, armv7l):
>   uptime: 13 seconds, since Jan 01 00:01:30 1970
>   malloc: sbrk 540672, mmap 0, used 229400, free 311272
>   worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, 
> scheduled: 0
>   loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 
> revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem 
> openssl gmp xcbc cmac hmac curl sqlite attr kernel-netlink resolve 
> socket-default stroke vici updown xauth-generic
> Listening IP addresses:
>   160.48.99.98
>   160.48.199.98
> Connections:
> host-host-psk-lan:  160.48.99.98...160.48.99.124  IKEv2
> host-host-psk-lan:   local:  [160.48.99.98] uses pre-shared key authentication
> host-host-psk-lan:   remote: [160.48.99.124] uses pre-shared key 
> authentication
> host-host-psk-lan:   child:  dynamic === dynamic TRANSPORT
> Security Associations (0 up, 0 connecting):
>   none
> root@mdm9640:~#
> 
> Log files:
> root@mdm9640:~# cat /var/log/charon.log
> Jan  1 00:03:35 00[DMN] Starting IKE charon daemon (strongSwan 5.6.0, Linux 
> 3.18.31, armv7l)
> Jan  1 00:03:35 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
> Jan  1 00:03:35 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
> Jan  1 00:03:35 00[CFG] loading ocsp signer certificates from 
> '/etc/ipsec.d/ocspcerts'
> Jan  1 00:03:35 00[CFG] loading attribute certificates from 
> '/etc/ipsec.d/acerts'
> Jan  1 00:03:35 00[CFG] loading crls from '/etc/ipsec.d/crls'
> Jan  1 00:03:35 00[CFG] loading secrets from '/etc/ipsec.secrets'
> Jan  1 00:03:35 00[CFG]   loaded IKE secret for 160.48.99.124
> Jan  1 00:03:35 00[CFG]   loaded IKE secret for 160.48.199.124
> Jan  1 00:03:35 00[CFG]   loaded RSA private key from 
> '/etc/ipsec.d/private/ATM-02_IPsec-internal.key'
> Jan  1 00:03:35 00[CFG]   loaded RSA private key from 
> '/etc/ipsec.d/private/ATM-02_IPsec-internal.key'
> Jan  1 00:03:35 00[LIB] loaded plugins: charon aes des rc2 sha2 sha1 md5 
> random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp 
> dnskey sshkey pem openssl gmp xcbc cmac hmac curl sqlite attr kernel-netlink 
> resolve socket-default stroke vici updown xauth-generic
> Jan  1 00:03:35 00[JOB] spawning 16 worker threads
> Jan  1 00:03:35 05[CFG] received stroke: add connection 'host-host-psk-lan'
> Jan  1 00:03:35 05[CFG] added configuration 'host-host-psk-lan'
> Jan  1 00:03:54 07[CFG] received stroke: initiate 'host-host-psk-lan'
> Jan  1 00:03:54 09[IKE]  initiating IKE_SA 
> host-host-psk-lan[1] to 160.48.99.124
> Jan 

[strongSwan] configured DH group CURVE_25519 not supported

[Gyula Kovács]

Hi All,

I've just updated strongSwan from 5.5.1 to 5.6.0.
After the update, I got the "configured DH group CURVE_25519 not 
supported" error message.
The target was working fine before the update, the configuration files 
were not changed during the update.
I found some information on the internet, so I know that Curve25519 
support was introduced in 5.5.2.
I checked the build configuration options, and disabled the curve25519 
support (--disable-curve25519), but it did not help.

I have no idea what might cause the problem.
Any help would be appreciated.

Best regards,
Gyula Kovacs

I added the technical details here.

Target system:
- Linux 3.18.31 #1 PREEMPT Tue Aug 29 12:27:09 CEST 2017 armv7l GNU/Linux
- OpenSSL 1.0.2l  25 May 2017
- strongSwan configuration options:
  --build=x86_64-linux --host=arm-oe-linux-gnueabi 
--target=arm-oe-linux-gnueabi

  --prefix=/usr --exec_prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin
  --libexecdir=/usr/lib/strongswan --datadir=/usr/share --sysconfdir=/etc
  --sharedstatedir=/com --localstatedir=/var --libdir=/usr/lib 
--includedir=/usr/include
  --oldincludedir=/usr/include --infodir=/usr/share/info 
--mandir=/usr/share/man
  --disable-silent-rules --disable-dependency-tracking 
--with-libtool-sysroot=/oe-core/build/tmp-glibc/sysroots/
  --without-lib-prefix --without-systemdsystemunitdir --disable-aesni 
--enable-charon --enable-curl --disable-curve25519
  --enable-gmp --disable-ldap --disable-mysql --enable-openssl 
--disable-scepclient --disable-soup --enable-sqlite

  --enable-stroke --disable-swanctl --disable-systemd

Opponent:
- Linux 3.16.0-4-586 #1 Debian 3.16.43-2 (2017-04-30) i686 GNU/Linux
- OpenSSL 1.0.1t  3 May 2016
- strongSwan configuration options:
  ./configure --prefix=/usr --sysconfdir=/etc --disable-curve25519

Error message:
root@mdm9640:~# ipsec up host-host-psk-lan
initiating IKE_SA host-host-psk-lan[1] to 160.48.99.124
configured DH group CURVE_25519 not supported
tried to checkin and delete nonexisting IKE_SA
establishing connection 'host-host-psk-lan' failed
root@mdm9640:~#

root@mdm9640:~# ipsec statusall
Status of IKE charon daemon (strongSwan 5.6.0, Linux 3.18.31, armv7l):
  uptime: 13 seconds, since Jan 01 00:01:30 1970
  malloc: sbrk 540672, mmap 0, used 229400, free 311272
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, 
scheduled: 0
  loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 
revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey 
pem openssl gmp xcbc cmac hmac curl sqlite attr kernel-netlink resolve 
socket-default stroke vici updown xauth-generic

Listening IP addresses:
  160.48.99.98
  160.48.199.98
Connections:
host-host-psk-lan:  160.48.99.98...160.48.99.124  IKEv2
host-host-psk-lan:   local:  [160.48.99.98] uses pre-shared key 
authentication
host-host-psk-lan:   remote: [160.48.99.124] uses pre-shared key 
authentication

host-host-psk-lan:   child:  dynamic === dynamic TRANSPORT
Security Associations (0 up, 0 connecting):
  none
root@mdm9640:~#

Log files:
root@mdm9640:~# cat /var/log/charon.log
Jan  1 00:03:35 00[DMN] Starting IKE charon daemon (strongSwan 5.6.0, 
Linux 3.18.31, armv7l)

Jan  1 00:03:35 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Jan  1 00:03:35 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Jan  1 00:03:35 00[CFG] loading ocsp signer certificates from 
'/etc/ipsec.d/ocspcerts'
Jan  1 00:03:35 00[CFG] loading attribute certificates from 
'/etc/ipsec.d/acerts'

Jan  1 00:03:35 00[CFG] loading crls from '/etc/ipsec.d/crls'
Jan  1 00:03:35 00[CFG] loading secrets from '/etc/ipsec.secrets'
Jan  1 00:03:35 00[CFG]   loaded IKE secret for 160.48.99.124
Jan  1 00:03:35 00[CFG]   loaded IKE secret for 160.48.199.124
Jan  1 00:03:35 00[CFG]   loaded RSA private key from 
'/etc/ipsec.d/private/ATM-02_IPsec-internal.key'
Jan  1 00:03:35 00[CFG]   loaded RSA private key from 
'/etc/ipsec.d/private/ATM-02_IPsec-internal.key'
Jan  1 00:03:35 00[LIB] loaded plugins: charon aes des rc2 sha2 sha1 md5 
random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 
pgp dnskey sshkey pem openssl gmp xcbc cmac hmac curl sqlite attr 
kernel-netlink resolve socket-default stroke vici updown xauth-generic

Jan  1 00:03:35 00[JOB] spawning 16 worker threads
Jan  1 00:03:35 05[CFG] received stroke: add connection 'host-host-psk-lan'
Jan  1 00:03:35 05[CFG] added configuration 'host-host-psk-lan'
Jan  1 00:03:54 07[CFG] received stroke: initiate 'host-host-psk-lan'
Jan  1 00:03:54 09[IKE]  initiating IKE_SA 
host-host-psk-lan[1] to 160.48.99.124
Jan  1 00:03:54 09[IKE]  configured DH group 
CURVE_25519 not supported
Jan  1 00:03:54 09[MGR]  tried to checkin and 
delete nonexisting IKE_SA

Jan  1 00:04:02 00[DMN] signal of type SIGINT received. Shutting down
root@mdm9640:~#

Aug 30 10:12:51 mgu charon: 00[DMN] Starting IKE charon daemon 
(strongSwan