Thanks Noel,
Since I haven't specified anything in strongswan.conf, I assume that all of the
plugins I built will be loaded.
"ipsec listalgs" prints nothing (similar to ipsec statusall).
Also, any swanctl command I run simply hangs and doesn't finish or print
anything.
Any idea why?
Roee.
On 8/10/18, 2:43 PM, "Noel Kuntze" <noel.kuntze@thermi.consulting> wrote:
Hello,
The output of "./configure" only tells you what is built at build time, not
what is loaded at run time.
They're complementary. You can't load a plugin that wasn't build. To be
able to load a plugin, it has to be built and you need to have it.
Yes, af-alg does what you want. Your expectation to get stuff in the logs
when it works is wrong. No crypto plugin ever prints anything regarding the
usage, as long as nothing bad/critical happens.
You need to check the output of `ipsec listalgs` to see which plugin
provides which algorithms.
Algorithms are provided by the plugin which provides them first relative to
when the plugins are loaded when the daemon starts.
Kind regards
Noel
Am 10.08.18 um 14:43 schrieb Roee Agami:
>
>
>
> Hi,
>
>
>
> I wish to have IKE use the crypto services of the kernel rather than the
default user space ones. It was brought to my attention that af-alg plugin
allows such behavior.
>
>
>
> Now I am trying to build strongSwan with that plugin. I know of this
example config:
>
> https://www.strongswan.org/testing/testresults/af-alg/rw-cert/
>
>
>
> And was trying to follow it, loading the same plugins listed in Carol’s
strongswan.conf (except that I was loading them using the configure script
instead of strongswan.conf).
>
>
>
> Here is the output of the configure script command:
>
>
>
> strongSwan will be built with the following plugins
>
> libstrongswan: test-vectors mgf1 random nonce x509 revocation constraints
pubkey pkcs1 pem openssl af-alg gmp ctr ccm gcm curl
>
> libcharon: kernel-netlink socket-default stroke vici updown
counters
>
> libtnccs:
>
> libtpmtss:
>
>
>
> Then I make and make install it, and restart ipsec.
>
> Looking at the logs, I see messages indicating the various plugins are
loaded successfully, and the last message I see is that ‘af-alg’ plugin is
loaded successfully. I don’t see any other messages after that.
>
>
>
> Running ‘ipsec statusall’ doesn’t show any output at all.
>
>
>
> So my conclusion is that strongSwan is not running the way I wanted it to.
>
> Can you help me figure out what am I missing?
>
>
>
> Thanks,
>
> Roee.
>
>
>
>
>
--
Noel Kuntze
IT security consultant
GPG Key ID: 0x0739AD6C
Fingerprint: 3524 93BE B5F7 8E63 1372 AF2D F54E E40B 0739 AD6C
