Re: [strongSwan] configured DH group CURVE_25519 not supported
Hi All, Thank you for your time and help. Based on your ideas / advices, I checked the SW deployment on the target and found that libstrongswan-curve25519.so was missing from /usr/lib/ipsec/plugins/ directory. So, I had a simple deployment (more precisely: bitbake recipe) error. After fixing the recipe, the target worked again. So the problem is solved. Thank you again. Best regards, Gyula
Re: [strongSwan] configured DH group CURVE_25519 not supported
Hi Gyula, > First, without --disable-curve25519, which means that the plugin is > enabled (https://wiki.strongswan.org/projects/strongswan/wiki/Autoconf). > After that, I added --disable-curve25519 to ./configure options. Also note that you might need to run `make clean` first after you changed the configure options. Then make sure the plugin is actually built, installed, and loaded at runtime (log or `ipsec statusall`). You can also change the IKE proposal (`ike` keyword in ipsec.conf) so curve25519 is not used. Regards, Tobias
Re: [strongSwan] configured DH group CURVE_25519 not supported
What about explicit --enable-curve25519 ? Lev On Wed, Aug 30, 2017 at 10:54 AM, Gyula Kovács wrote: > Hi Eric, > > I tried both variants. > First, without --disable-curve25519, which means that the plugin is enabled > (https://wiki.strongswan.org/projects/strongswan/wiki/Autoconf). > After that, I added --disable-curve25519 to ./configure options. > But both builds produced the same error message. > > Best regards, > Gyula >
Re: [strongSwan] configured DH group CURVE_25519 not supported
Hi Eric, I tried both variants. First, without --disable-curve25519, which means that the plugin is enabled (https://wiki.strongswan.org/projects/strongswan/wiki/Autoconf). After that, I added --disable-curve25519 to ./configure options. But both builds produced the same error message. Best regards, Gyula
Re: [strongSwan] configured DH group CURVE_25519 not supported
You want --disable-curve25519 to be --enable-curve25519 EKG > On Aug 30, 2017, at 4:24 AM, Gyula Kovács > wrote: > > Hi All, > > I've just updated strongSwan from 5.5.1 to 5.6.0. > After the update, I got the "configured DH group CURVE_25519 not supported" > error message. > The target was working fine before the update, the configuration files were > not changed during the update. > I found some information on the internet, so I know that Curve25519 support > was introduced in 5.5.2. > I checked the build configuration options, and disabled the curve25519 > support (--disable-curve25519), but it did not help. > I have no idea what might cause the problem. > Any help would be appreciated. > > Best regards, > Gyula Kovacs > > I added the technical details here. > > Target system: > - Linux 3.18.31 #1 PREEMPT Tue Aug 29 12:27:09 CEST 2017 armv7l GNU/Linux > - OpenSSL 1.0.2l 25 May 2017 > - strongSwan configuration options: > --build=x86_64-linux --host=arm-oe-linux-gnueabi > --target=arm-oe-linux-gnueabi > --prefix=/usr --exec_prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin > --libexecdir=/usr/lib/strongswan --datadir=/usr/share --sysconfdir=/etc > --sharedstatedir=/com --localstatedir=/var --libdir=/usr/lib > --includedir=/usr/include > --oldincludedir=/usr/include --infodir=/usr/share/info > --mandir=/usr/share/man > --disable-silent-rules --disable-dependency-tracking > --with-libtool-sysroot=/oe-core/build/tmp-glibc/sysroots/ > --without-lib-prefix --without-systemdsystemunitdir --disable-aesni > --enable-charon --enable-curl --disable-curve25519 > --enable-gmp --disable-ldap --disable-mysql --enable-openssl > --disable-scepclient --disable-soup --enable-sqlite > --enable-stroke --disable-swanctl --disable-systemd > > Opponent: > - Linux 3.16.0-4-586 #1 Debian 3.16.43-2 (2017-04-30) i686 GNU/Linux > - OpenSSL 1.0.1t 3 May 2016 > - strongSwan configuration options: > ./configure --prefix=/usr --sysconfdir=/etc --disable-curve25519 > > Error message: > root@mdm9640:~# ipsec up host-host-psk-lan > initiating IKE_SA host-host-psk-lan[1] to 160.48.99.124 > configured DH group CURVE_25519 not supported > tried to checkin and delete nonexisting IKE_SA > establishing connection 'host-host-psk-lan' failed > root@mdm9640:~# > > root@mdm9640:~# ipsec statusall > Status of IKE charon daemon (strongSwan 5.6.0, Linux 3.18.31, armv7l): > uptime: 13 seconds, since Jan 01 00:01:30 1970 > malloc: sbrk 540672, mmap 0, used 229400, free 311272 > worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, > scheduled: 0 > loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 > revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem > openssl gmp xcbc cmac hmac curl sqlite attr kernel-netlink resolve > socket-default stroke vici updown xauth-generic > Listening IP addresses: > 160.48.99.98 > 160.48.199.98 > Connections: > host-host-psk-lan: 160.48.99.98...160.48.99.124 IKEv2 > host-host-psk-lan: local: [160.48.99.98] uses pre-shared key authentication > host-host-psk-lan: remote: [160.48.99.124] uses pre-shared key > authentication > host-host-psk-lan: child: dynamic === dynamic TRANSPORT > Security Associations (0 up, 0 connecting): > none > root@mdm9640:~# > > Log files: > root@mdm9640:~# cat /var/log/charon.log > Jan 1 00:03:35 00[DMN] Starting IKE charon daemon (strongSwan 5.6.0, Linux > 3.18.31, armv7l) > Jan 1 00:03:35 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' > Jan 1 00:03:35 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' > Jan 1 00:03:35 00[CFG] loading ocsp signer certificates from > '/etc/ipsec.d/ocspcerts' > Jan 1 00:03:35 00[CFG] loading attribute certificates from > '/etc/ipsec.d/acerts' > Jan 1 00:03:35 00[CFG] loading crls from '/etc/ipsec.d/crls' > Jan 1 00:03:35 00[CFG] loading secrets from '/etc/ipsec.secrets' > Jan 1 00:03:35 00[CFG] loaded IKE secret for 160.48.99.124 > Jan 1 00:03:35 00[CFG] loaded IKE secret for 160.48.199.124 > Jan 1 00:03:35 00[CFG] loaded RSA private key from > '/etc/ipsec.d/private/ATM-02_IPsec-internal.key' > Jan 1 00:03:35 00[CFG] loaded RSA private key from > '/etc/ipsec.d/private/ATM-02_IPsec-internal.key' > Jan 1 00:03:35 00[LIB] loaded plugins: charon aes des rc2 sha2 sha1 md5 > random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp > dnskey sshkey pem openssl gmp xcbc cmac hmac curl sqlite attr kernel-netlink > resolve socket-default stroke vici updown xauth-generic > Jan 1 00:03:35 00[JOB] spawning 16 worker threads > Jan 1 00:03:35 05[CFG] received stroke: add connection 'host-host-psk-lan' > Jan 1 00:03:35 05[CFG] added configuration 'host-host-psk-lan' > Jan 1 00:03:54 07[CFG] received stroke: initiate 'host-host-psk-lan' > Jan 1 00:03:54 09[IKE] initiating IKE_SA > host-host-psk-lan[1] to 160.48.99.124 > Jan 1 00:03:54 09[IKE] configured DH group CURVE_25519
[strongSwan] configured DH group CURVE_25519 not supported
Hi All, I've just updated strongSwan from 5.5.1 to 5.6.0. After the update, I got the "configured DH group CURVE_25519 not supported" error message. The target was working fine before the update, the configuration files were not changed during the update. I found some information on the internet, so I know that Curve25519 support was introduced in 5.5.2. I checked the build configuration options, and disabled the curve25519 support (--disable-curve25519), but it did not help. I have no idea what might cause the problem. Any help would be appreciated. Best regards, Gyula Kovacs I added the technical details here. Target system: - Linux 3.18.31 #1 PREEMPT Tue Aug 29 12:27:09 CEST 2017 armv7l GNU/Linux - OpenSSL 1.0.2l 25 May 2017 - strongSwan configuration options: --build=x86_64-linux --host=arm-oe-linux-gnueabi --target=arm-oe-linux-gnueabi --prefix=/usr --exec_prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --libexecdir=/usr/lib/strongswan --datadir=/usr/share --sysconfdir=/etc --sharedstatedir=/com --localstatedir=/var --libdir=/usr/lib --includedir=/usr/include --oldincludedir=/usr/include --infodir=/usr/share/info --mandir=/usr/share/man --disable-silent-rules --disable-dependency-tracking --with-libtool-sysroot=/oe-core/build/tmp-glibc/sysroots/ --without-lib-prefix --without-systemdsystemunitdir --disable-aesni --enable-charon --enable-curl --disable-curve25519 --enable-gmp --disable-ldap --disable-mysql --enable-openssl --disable-scepclient --disable-soup --enable-sqlite --enable-stroke --disable-swanctl --disable-systemd Opponent: - Linux 3.16.0-4-586 #1 Debian 3.16.43-2 (2017-04-30) i686 GNU/Linux - OpenSSL 1.0.1t 3 May 2016 - strongSwan configuration options: ./configure --prefix=/usr --sysconfdir=/etc --disable-curve25519 Error message: root@mdm9640:~# ipsec up host-host-psk-lan initiating IKE_SA host-host-psk-lan[1] to 160.48.99.124 configured DH group CURVE_25519 not supported tried to checkin and delete nonexisting IKE_SA establishing connection 'host-host-psk-lan' failed root@mdm9640:~# root@mdm9640:~# ipsec statusall Status of IKE charon daemon (strongSwan 5.6.0, Linux 3.18.31, armv7l): uptime: 13 seconds, since Jan 01 00:01:30 1970 malloc: sbrk 540672, mmap 0, used 229400, free 311272 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0 loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gmp xcbc cmac hmac curl sqlite attr kernel-netlink resolve socket-default stroke vici updown xauth-generic Listening IP addresses: 160.48.99.98 160.48.199.98 Connections: host-host-psk-lan: 160.48.99.98...160.48.99.124 IKEv2 host-host-psk-lan: local: [160.48.99.98] uses pre-shared key authentication host-host-psk-lan: remote: [160.48.99.124] uses pre-shared key authentication host-host-psk-lan: child: dynamic === dynamic TRANSPORT Security Associations (0 up, 0 connecting): none root@mdm9640:~# Log files: root@mdm9640:~# cat /var/log/charon.log Jan 1 00:03:35 00[DMN] Starting IKE charon daemon (strongSwan 5.6.0, Linux 3.18.31, armv7l) Jan 1 00:03:35 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' Jan 1 00:03:35 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' Jan 1 00:03:35 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' Jan 1 00:03:35 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' Jan 1 00:03:35 00[CFG] loading crls from '/etc/ipsec.d/crls' Jan 1 00:03:35 00[CFG] loading secrets from '/etc/ipsec.secrets' Jan 1 00:03:35 00[CFG] loaded IKE secret for 160.48.99.124 Jan 1 00:03:35 00[CFG] loaded IKE secret for 160.48.199.124 Jan 1 00:03:35 00[CFG] loaded RSA private key from '/etc/ipsec.d/private/ATM-02_IPsec-internal.key' Jan 1 00:03:35 00[CFG] loaded RSA private key from '/etc/ipsec.d/private/ATM-02_IPsec-internal.key' Jan 1 00:03:35 00[LIB] loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gmp xcbc cmac hmac curl sqlite attr kernel-netlink resolve socket-default stroke vici updown xauth-generic Jan 1 00:03:35 00[JOB] spawning 16 worker threads Jan 1 00:03:35 05[CFG] received stroke: add connection 'host-host-psk-lan' Jan 1 00:03:35 05[CFG] added configuration 'host-host-psk-lan' Jan 1 00:03:54 07[CFG] received stroke: initiate 'host-host-psk-lan' Jan 1 00:03:54 09[IKE] initiating IKE_SA host-host-psk-lan[1] to 160.48.99.124 Jan 1 00:03:54 09[IKE] configured DH group CURVE_25519 not supported Jan 1 00:03:54 09[MGR] tried to checkin and delete nonexisting IKE_SA Jan 1 00:04:02 00[DMN] signal of type SIGINT received. Shutting down root@mdm9640:~# Aug 30 10:12:51 mgu charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.6.0, Linux 3.16.0-4-586, i686) Aug 30 10:12:51 mgu charon: 00[CFG]