[strongSwan] Confusing SHA256 truncation

Wed, 08 Jun 2016 12:55:32 -0700 


Hi all,
Currently I use Strongswan 5.2.2 (Debian 8). So far, everything is fine. Only with SHA256 there are weird things. 


On my PC with Kernel 3.16 I got a length of 128 bits for SHA256 and the 
same version on my ARM board with Kernel 3.10 I got a length pf 96 bits.


Why does this happen?


Any notes are welcome. Below is the output of ip xfrm state and the 
configuration.


Nice greetings
Harald



Setup:
######
PC with Debian 8 x86_64 with Kernel 3.16
<----->
ARM Board imX28 Kernel 3.10 also Strongswan 5.2.2


ARM Board imX28 Kernel 3.10 also Strongswan 5.2.2:
/ # ip xfrm state
src 10.1.8.241 dst 10.1.8.240
        proto esp spi 0xc86e8c86 reqid 1 mode tunnel
        replay-window 32

        auth-trunc hmac(sha256) 
0x9954ce2e14cbf9c68ec72178859d377da19899688df13783fd728ddd9648bcb7 96

        enc ecb(cipher_null)
        sel src 0.0.0.0/0 dst 0.0.0.0/0
src 10.1.8.240 dst 10.1.8.241
        proto esp spi 0xc31d24ed reqid 1 mode tunnel
        replay-window 32

        auth-trunc hmac(sha256) 
0x0549596a5249d0ae333b9f2e56db47923aedc69252289d27796167d64db151de 96

        enc ecb(cipher_null)
        sel src 0.0.0.0/0 dst 0.0.0.0/0

PC with Debian 8 x86_64 with Kernel 3.16:
root@saturn:/home/hk# ip xfrm state
src 10.1.8.240 dst 10.1.8.241
    proto esp spi 0xc31d24ed reqid 10 mode tunnel
    replay-window 32 flag af-unspec

    auth-trunc hmac(sha256) 
0x0549596a5249d0ae333b9f2e56db47923aedc69252289d27796167d64db151de 128

    enc ecb(cipher_null)
src 10.1.8.241 dst 10.1.8.240
    proto esp spi 0xc86e8c86 reqid 10 mode tunnel
    replay-window 32 flag af-unspec

    auth-trunc hmac(sha256) 
0x9954ce2e14cbf9c68ec72178859d377da19899688df13783fd728ddd9648bcb7 128

    enc ecb(cipher_null)



Config: (is working without SHA256)
#######
conn %default
        ikelifetime=28800
        keylife=60m
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev2
        authby=secret

conn test
        left=10.1.8.240
        leftsubnet=10.1.0.0/8
        leftid=10.1.8.240
        leftfirewall=yes
        leftsourceip=%config
        right=10.1.8.241
        rightsubnet=10.1.8.241/32
        rightid=10.1.8.241
        auto=add
        type=tunnel
        ike=null-sha256-modp2048!   # null for wireshark
        esp=null-sha256-modp2048!   # null for wireshark
        dpdaction=restart
        dpddelay=20s
        dpdtimeout=10s



_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users





















					Reply via email to