Re: [strongSwan] Drop data traffic if ipsec is not present

2016-08-05 Thread Sarat Vajrapu
Hi Andreas, Thanks for your inputs. I did some testing with leftfirewall, iptables rules and understood the behavior. Regards, Sarat On Fri, Aug 5, 2016 at 12:31 AM, Andreas Steffen < andreas.stef...@strongswan.org> wrote: > Hi Sarat, > > leftfirewall=yes installs and removes dynamic IPsec

Re: [strongSwan] Pcrypt module usage

2016-08-05 Thread Kapil Adhikesavalu
With the below steps I don't see any performance improvements in ipsec in a multicore HW. Is there anything I am missing? Thanks Kapil On 04-Aug-2016 5:37 PM, "Kapil Adhikesavalu" wrote: Hello, I am getting the following errors while trying pcrypt. From the wiki page, i

Re: [strongSwan] Authentication algoritm supported by strongSwan

2016-08-05 Thread Andreas Steffen
Hi Codrut, no strongSwan does not support the ESP authentication algorithm HMAC-RIPEMD-160-96. Regards Andreas On 05.08.2016 13:41, Codrut Grosu wrote: > Hi, > > > Is the next algorithm supported by strongSwan : MAC-RIPMED-160-96 > [RFC2857] ? > > > The name is from wireshark ESP

[strongSwan] Authentication algoritm supported by strongSwan

2016-08-05 Thread Codrut Grosu
Hi, Is the next algorithm supported by strongSwan : MAC-RIPMED-160-96 [RFC2857] ? The name is from wireshark ESP decryption table. Cheers, Codrut. ___ Users mailing list Users@lists.strongswan.org

[strongSwan] Broken CHILD_SA following IKE_SA re-auth with FortiGate remote

2016-08-05 Thread Tore Anderson
Hi, We recently experienced that an IKEv2-negotiated ESP site-to-site tunnel between strongSwan 5.3.5 running on Ubuntu 16.04 and a Fortinet FortiGate router broke following the re-auth of the IKE_SA. Just one out of six ESP CHILD_SAs broke. I've uploaded config files, charon logs, and other

Re: [strongSwan] Strongswan not sending encryption algorithm

2016-08-05 Thread Lakshmi Prasanna
Thanks Andreas. On Fri, Aug 5, 2016 at 2:29 PM, Andreas Steffen < andreas.stef...@strongswan.org> wrote: > Hi Lakshmi, > > yes, your understanding is correct. Since AES-GCM is an > authenticated encryption algorithm, you don't need an > additional integrity protection function. Thus > > Valid

Re: [strongSwan] Strongswan not sending encryption algorithm

2016-08-05 Thread Andreas Steffen
Hi Lakshmi, yes, your understanding is correct. Since AES-GCM is an authenticated encryption algorithm, you don't need an additional integrity protection function. Thus Valid IKEv1 combo: -- keyexchange=ikev1 ike=aes256-sha256-modp2048! esp=aes256gcm128! Valid IKEv2 combo:

Re: [strongSwan] Strongswan not sending encryption algorithm

2016-08-05 Thread Lakshmi Prasanna
Thank you for the reply Andreas. Can you please validate my understanding? Valid combo: --- keyexchange=ikev1 ike=aes256-sha256-modp2048! esp=aes256gcm128-sha256! Invalid combo: keyexchange=ikev1 ike=aes256gcm128-sha256-modp2048!

Re: [strongSwan] Strongswan not sending encryption algorithm

2016-08-05 Thread Andreas Steffen
Hi Lakshmi, The old IKEv1 protocol does not support AES-GCM for IKE since IANA hasn't assigned any encryption transform numbers: http://www.iana.org/assignments/ipsec-registry/ipsec-registry.xhtml#ipsec-registry-4 AES-GCM can be used for IKE protection with IKEv2, only:

[strongSwan] Strongswan not sending encryption algorithm

2016-08-05 Thread Lakshmi Prasanna
Hi Team, I am trying to use AES-GCM with IKEV1 and see that strongswan does not send the encryption algorithm. Is there any plugin or knob to enable the same? Logs: received proposals: IKE:HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 configured