Thanks a lot for the quick reply Andreas.

Rgds,
Lakshmi

On Wed, Sep 21, 2016 at 6:35 PM, Andreas Steffen <
andreas.stef...@strongswan.org> wrote:

> Hi Lakshmi,
>
> no, IKEv1 does not support SHA2_256_96 for ESP. Since the corresponding
> ESP integrity algorithm is in the private identifier range and a
> strongSwan Vendor ID is required, you have to use strongSwan on both
> IPsec endpoints anyway. Therefore you can always set up the connection
> using IKEv2 so that there is no need for the legacy IKEv1 protocol.
>
> If you want to use 96 bit truncation with third party endpoints then the
> recommendation is to hack the kernel-netlink interface plugin so that
> when ESP SHA2_256 is proposed, strongSwan will use 96 bit instead of
> the correct 128 bit truncation. Have a look at the following issue that
> was posted a couple of months ago:
>
>   https://wiki.strongswan.org/issues/1353
>
> Regards
>
> Andreas
>
> On 21.09.2016 14:16, Lakshmi Prasanna wrote:
> > Hi Andreas,
> >
> > Does IKEv1 support SHA_256_96 for ESP ? I see that strongswan does not
> > send out the integrity algorithm when configured as SHA-256_96 for
> > IKEv1. However it works for IKEv2.
> >
> > Thanks,
> > Lakshmi
> >
> >
> > On Fri, Aug 12, 2016 at 9:26 AM, Andreas Steffen
> > <andreas.stef...@strongswan.org <mailto:andreas.stef...@strongswan.org>>
> > wrote:
> >
> >     Hi Lakshmi,
> >
> >     SHA-256 was implemented incorrectly for ESP with a 96 bit instead
> >     of the standard 128 bit truncation in Linux kernels older than
> >     2.6.33.
> >
> >     Workarounds:
> >
> >     1) Update to a kernel >= 2.6.33 (2.6.21 is ancient!)
> >
> >     2) If you run strongSwan on both VPN end points you can select the
> >        incorrect non-standard 96 bit truncation size by configuring
> >
> >        esp=aes128-sha256_96
> >
> >        In order for this non-standard algorithm ID to be accepted it
> might
> >        also be necessary to activate the sending of the strongSwan
> vendor id
> >        by setting
> >
> >        charon {
> >          send_vendor_id = yes
> >        }
> >
> >        in /etc/strongswan.conf
> >
> >     Regards
> >
> >     Andreas
> >
> >
> >     On 12.08.2016 03:04, Lakshmi Prasanna wrote:
> >
> >         Experts,
> >
> >         Need urgent help.
> >
> >         When I try to use strongswan with SHA256, I see that the
> negotiation
> >         fails at child SA creation time. I am using
> >             strongSwan 5.1.3, Linux 2.6.21 version). Following is the
> log:
> >
> >         arsed CREATE_CHILD_SA response 4 [ N(USE_TRANSP) SA No TSi TSr ]
> >
> >         received netlink error: Invalid argument (22)
> >
> >         unable to add SAD entry with SPI c28f19c1
> >
> >         received netlink error: Invalid argument (22)
> >
> >         unable to add SAD entry with SPI c088894f
> >
> >         unable to install inbound and outbound IPsec SA (SAD) in kernel
> >
> >         failed to establish CHILD_SA, keeping IKE_SA
> >
> >         sending DELETE for ESP CHILD_SA with SPI c28f19c1
> >
> >
> >         I have already tried the changes mentioned in
> >         https://lists.strongswan.org/pipermail/users/2013-
> September/005203.html
> >         <https://lists.strongswan.org/pipermail/users/2013-
> September/005203.html>
> >         and it doesnt seem to work.
> >
> >         Is there any other fix for this issue?
> >
> >         Rgds,
> >
> >         Lakshmi
> >
> >     ============================================================
> ==========
> >     Andreas Steffen
> >      andreas.stef...@strongswan.org <mailto:andreas.steffen@
> strongswan.org>
> >     strongSwan - the Open Source VPN Solution!
> >     www.strongswan.org <http://www.strongswan.org>
> >     Institute for Internet Technologies and Applications
> >     University of Applied Sciences Rapperswil
> >     CH-8640 Rapperswil (Switzerland)
> >     ===========================================================[
> ITA-HSR]==
> >
> >
>
> --
> ======================================================================
> Andreas Steffen                         andreas.stef...@strongswan.org
> strongSwan - the Open Source VPN Solution!          www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>
>
_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Reply via email to