Hi Kapil, I am looking into this issue since couple of days and finally decided to post my query here. The first option (patch for old kernel) i tried but couldn't find it. How can i find if my kernel has that patch fixed ?
Second option is not workable for us. On Wed, Jun 22, 2016 at 10:41 AM, Kapil Adhikesavalu <[email protected]> wrote: > Seems you are hitting the Aes-ni 256 bit limitation. You have couple of > options, > > 1. Move to kernel 4.1 or see if patches are available to port it to old > kernel. > > 2. Try removing this kernel module, it might work(may be not) without the > Aes-ni instructions support. If it works, throughput will be less. > > Thanks > Kapil > On 22-Jun-2016 8:54 AM, "sandeep dubey" <[email protected]> wrote: > >> Thanks Kapil for quick reply. >> >> I grep for 'intel_aesni' at /proc/crypto and found below - >> >> module : aesni_intel >> driver : crc32c-intel >> >> It seems that our EC2 instance is on that kernel. >> >> On Wed, Jun 22, 2016 at 8:42 AM, Kapil Adhikesavalu <[email protected] >> > wrote: >> >>> Hi Sandeep, >>> >>> Are you by any chance using intel_aesni klm (check /proc/crypto) ? If >>> so, aesgcm256 is not supported until kernel 4.1. >>> >>> Otherwise you can check the logs to see for any errors. >>> >>> Related to GCM256 - https://wiki.strongswan.org/issues/341 >>> >>> Thanks >>> Kapil >>> On 22-Jun-2016 7:12 AM, "sandeep dubey" <[email protected]> >>> wrote: >>> >>>> Hi Andreas, >>>> >>>> Thanks for the reply, I tried but it didn't worked for me. >>>> >>>> my config - >>>> >>>> conn support-node >>>> authby=secret >>>> auto=start >>>> type=tunnel >>>> left=172.19.17.23 >>>> leftid=5.6.7.8 >>>> leftsubnet=172.19.0.0/16 >>>> leftauth=psk >>>> right=1.2.3.4 >>>> rightsubnet=10.10.0.0/16 >>>> rightauth=psk >>>> ike=aes256gcm12-modp1536 >>>> esp=aes256gcm12-modp1536 >>>> >>>> On Tue, Jun 21, 2016 at 6:53 PM, Andreas Steffen < >>>> [email protected]> wrote: >>>> >>>>> Hi Sandeep, >>>>> >>>>> since AES-GCM is an authenticated encryption algorithm >>>>> no hash algorithm is needed in the esp statement: >>>>> >>>>> esp=aes256gcm12-modp1536 >>>>> >>>>> Regards >>>>> >>>>> Andreas >>>>> >>>>> >>>>> On 21.06.2016 16:27, sandeep dubey wrote: >>>>> >>>>>> Hi, s >>>>>> >>>>>> I am new to strongswan world and have successfully setup a tunnel >>>>>> between two AWS's VPC, But i have to make some changes in config to >>>>>> comply with security requirement which is not working even after >>>>>> multiple tries. I went through old bug for intel-eni which was fixed >>>>>> but >>>>>> couldn't find any way to check and confirm if i have that fix or not. >>>>>> >>>>>> Bug ref. - http://wiki.strongswan.org/issues/341 >>>>>> Fix ref. - >>>>>> https://marc.info/?l=linux-crypto-vger&m=139388786131685&w=2 >>>>>> >>>>>> The only difference in my working config and not working config is as >>>>>> below - >>>>>> >>>>>> Working with - >>>>>> ike=aes128-sha1-modp1024 >>>>>> esp=aes128-sha1-modp1024 >>>>>> >>>>>> Not working with - >>>>>> ike=aes256gcm12-sha256-modp1536 >>>>>> esp=aes256gcm12-sha256-modp1536 >>>>>> >>>>>> >>>>>> I am using ikev2 on EC2 instance with kernel 3.13.0-85-generic >>>>>> #129-Ubuntu SMP. >>>>>> >>>>>> Can someone help me ? >>>>>> >>>>>> -- >>>>>> Regards, >>>>>> Sandeep >>>>>> >>>>> >>>>> ====================================================================== >>>>> Andreas Steffen [email protected] >>>>> strongSwan - the Open Source VPN Solution! www.strongswan.org >>>>> Institute for Internet Technologies and Applications >>>>> University of Applied Sciences Rapperswil >>>>> CH-8640 Rapperswil (Switzerland) >>>>> ===========================================================[ITA-HSR]== >>>>> >>>>> >>>> >>>> >>>> -- >>>> Regards, >>>> Sandeep >>>> >>>> _______________________________________________ >>>> Users mailing list >>>> [email protected] >>>> https://lists.strongswan.org/mailman/listinfo/users >>>> >>> >> >> >> -- >> Regards, >> Sandeep >> > -- Regards, Sandeep
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
