Hi Lakshmi, SHA-256 was implemented incorrectly for ESP with a 96 bit instead of the standard 128 bit truncation in Linux kernels older than 2.6.33.
Workarounds:
1) Update to a kernel >= 2.6.33 (2.6.21 is ancient!)
2) If you run strongSwan on both VPN end points you can select the
incorrect non-standard 96 bit truncation size by configuring
esp=aes128-sha256_96
In order for this non-standard algorithm ID to be accepted it might
also be necessary to activate the sending of the strongSwan vendor id
by setting
charon {
send_vendor_id = yes
}
in /etc/strongswan.conf
Regards
Andreas
On 12.08.2016 03:04, Lakshmi Prasanna wrote:
Experts,
Need urgent help.
When I try to use strongswan with SHA256, I see that the negotiation
fails at child SA creation time. I am using
strongSwan 5.1.3, Linux 2.6.21 version). Following is the log:
arsed CREATE_CHILD_SA response 4 [ N(USE_TRANSP) SA No TSi TSr ]
received netlink error: Invalid argument (22)
unable to add SAD entry with SPI c28f19c1
received netlink error: Invalid argument (22)
unable to add SAD entry with SPI c088894f
unable to install inbound and outbound IPsec SA (SAD) in kernel
failed to establish CHILD_SA, keeping IKE_SA
sending DELETE for ESP CHILD_SA with SPI c28f19c1
I have already tried the changes mentioned in
https://lists.strongswan.org/pipermail/users/2013-September/005203.html
and it doesnt seem to work.
Is there any other fix for this issue?
Rgds,
Lakshmi
====================================================================== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]==
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
