Thanks Tobias, Im actually trying to do esp=aes128cgm16! Here's where I show off my ignorance. How do you configure something like this on an Android client? there doesn't seem to be an ipsec.conf file.
Regards, Bill Hi Bill, >* Jan 12 12:11:24 14[CFG] received proposals: *>*ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ *>* Jan 12 12:11:24 14[CFG] configured proposals: ESP:AES_GCM_16_128/NO_EXT_SEQ *>* Jan 12 12:11:24 14[IKE] no acceptable proposal found * You configured esp=aes128cgm16-sha256! on the gateway but did not do so on the client. Therefore, the client sends its default proposal which does not include AES-GCM. Hence, no matching proposal is found. Regards, Tobias On Thu, Jan 12, 2012 at 12:27 PM, william masson <[email protected]> wrote: > Hi Tobias, > > Thanks for putting me on the right track. > I've enabled CONFIG_GCM, CONFIG_SHA256 in the android kernel and flashed > the handset. > I noticed that GCM is configured as a module in my Ubuntu server so I did > a modprobe on it just to make sure it was loaded. > Still not connecting tho. > > charon.log shows: > > no acceptable ENCRYPTION_ALGORITHM found > Jan 12 12:11:24 14[CFG] received proposals: > ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ > Jan 12 12:11:24 14[CFG] configured proposals: ESP:AES_GCM_16_128/NO_EXT_SEQ > Jan 12 12:11:24 14[IKE] no acceptable proposal found > > any thoughts? > Regards, > Bill > > > > Hi Bill, > > >* I want to use the gcm block cypher. (esp=aes128cgm16!) > *>* I added gcm to the Android.mk in the strongswan_CHARON_PLUGINS list and > *>* also added it to the Android.mk in src/libstrongswan. > * > The gcm plugin you activated with the above is for strongSwan internal > > use with the key exchange protocol IKEv2 and not on the IPsec level with > ESP, which is what you want to enable with the esp= option. Since ESP > is handled by the Linux kernel you have to build your own kernel with > > CRYPTO_GCM enabled in the options. So if you don't want to actually use > AES-GCM with IKEv2 itself you don't have to do anything special when > building strongSwan. > > >* The server was configured using --enable-gcm option and an ipsec listall > *>* seems to confirm that the server supports it. > * > Same applies here, --enable-gcm only enables GCM for IKEv2. Depending > on the Linux distribution you use, GCM may already be enabled in the > default kernel. > > Regards, > Tobias > > >
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
