Seems you are hitting the Aes-ni 256 bit limitation. You have couple of options,
1. Move to kernel 4.1 or see if patches are available to port it to old kernel. 2. Try removing this kernel module, it might work(may be not) without the Aes-ni instructions support. If it works, throughput will be less. Thanks Kapil On 22-Jun-2016 8:54 AM, "sandeep dubey" <[email protected]> wrote: > Thanks Kapil for quick reply. > > I grep for 'intel_aesni' at /proc/crypto and found below - > > module : aesni_intel > driver : crc32c-intel > > It seems that our EC2 instance is on that kernel. > > On Wed, Jun 22, 2016 at 8:42 AM, Kapil Adhikesavalu <[email protected]> > wrote: > >> Hi Sandeep, >> >> Are you by any chance using intel_aesni klm (check /proc/crypto) ? If so, >> aesgcm256 is not supported until kernel 4.1. >> >> Otherwise you can check the logs to see for any errors. >> >> Related to GCM256 - https://wiki.strongswan.org/issues/341 >> >> Thanks >> Kapil >> On 22-Jun-2016 7:12 AM, "sandeep dubey" <[email protected]> wrote: >> >>> Hi Andreas, >>> >>> Thanks for the reply, I tried but it didn't worked for me. >>> >>> my config - >>> >>> conn support-node >>> authby=secret >>> auto=start >>> type=tunnel >>> left=172.19.17.23 >>> leftid=5.6.7.8 >>> leftsubnet=172.19.0.0/16 >>> leftauth=psk >>> right=1.2.3.4 >>> rightsubnet=10.10.0.0/16 >>> rightauth=psk >>> ike=aes256gcm12-modp1536 >>> esp=aes256gcm12-modp1536 >>> >>> On Tue, Jun 21, 2016 at 6:53 PM, Andreas Steffen < >>> [email protected]> wrote: >>> >>>> Hi Sandeep, >>>> >>>> since AES-GCM is an authenticated encryption algorithm >>>> no hash algorithm is needed in the esp statement: >>>> >>>> esp=aes256gcm12-modp1536 >>>> >>>> Regards >>>> >>>> Andreas >>>> >>>> >>>> On 21.06.2016 16:27, sandeep dubey wrote: >>>> >>>>> Hi, s >>>>> >>>>> I am new to strongswan world and have successfully setup a tunnel >>>>> between two AWS's VPC, But i have to make some changes in config to >>>>> comply with security requirement which is not working even after >>>>> multiple tries. I went through old bug for intel-eni which was fixed >>>>> but >>>>> couldn't find any way to check and confirm if i have that fix or not. >>>>> >>>>> Bug ref. - http://wiki.strongswan.org/issues/341 >>>>> Fix ref. - >>>>> https://marc.info/?l=linux-crypto-vger&m=139388786131685&w=2 >>>>> >>>>> The only difference in my working config and not working config is as >>>>> below - >>>>> >>>>> Working with - >>>>> ike=aes128-sha1-modp1024 >>>>> esp=aes128-sha1-modp1024 >>>>> >>>>> Not working with - >>>>> ike=aes256gcm12-sha256-modp1536 >>>>> esp=aes256gcm12-sha256-modp1536 >>>>> >>>>> >>>>> I am using ikev2 on EC2 instance with kernel 3.13.0-85-generic >>>>> #129-Ubuntu SMP. >>>>> >>>>> Can someone help me ? >>>>> >>>>> -- >>>>> Regards, >>>>> Sandeep >>>>> >>>> >>>> ====================================================================== >>>> Andreas Steffen [email protected] >>>> strongSwan - the Open Source VPN Solution! www.strongswan.org >>>> Institute for Internet Technologies and Applications >>>> University of Applied Sciences Rapperswil >>>> CH-8640 Rapperswil (Switzerland) >>>> ===========================================================[ITA-HSR]== >>>> >>>> >>> >>> >>> -- >>> Regards, >>> Sandeep >>> >>> _______________________________________________ >>> Users mailing list >>> [email protected] >>> https://lists.strongswan.org/mailman/listinfo/users >>> >> > > > -- > Regards, > Sandeep >
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
