Hi Dusan, hmmm, our documentation says that the correct ESP SHA256_128 HMAC truncation was introduced with the 2.6.33 kernel but your kernel might not be a vanilla 2.6.36 kernel:
https://wiki.strongswan.org/projects/strongswan/wiki/IKEv2CipherSuites (ESP integrity algorithm footnote n) Regards Andreas On 04.08.2017 16:41, Dusan Ilic wrote: > Hi Andreas > > One side is 2.6.36 and the other 3.10.20 > > > Den 2017-08-04 kl. 12:48, skrev Andreas Steffen: >> Hi Dusan, >> >> this is a Linux kernel issue. Which kernel versions are you running >> on the two endpoints?. >> >> Regards >> >> Andreas >> >> On 04.08.2017 12:41, Dusan Ilic wrote: >>> Hi Noel, >>> >>> One side is Strongswan 5.2.2 and the other is 5.5.2. >>> How do I switch? >>> >>> >>> Den 2017-08-04 kl. 12:25, skrev Noel Kuntze: >>>> the remote peer probably uses the DRAFT variant of sha2-256, which >>>> uses 96 bit truncation. strongSwan uses the actual standardized >>>> variant that truncates to 128 bit. >>>> You can switch between the two in the newest version of strongSwan >>>> >>>> On 04.08.2017 12:23, Dusan Ilic wrote: >>>>> Hello! >>>>> >>>>> I have a strange issue, with both settings below the tunnel goes up >>>>> as it should, but only with SHA1 in ESP traffic goes through. When I >>>>> ping the remote client with ESP SHA256 it times out, even though the >>>>> tunnel reports as being up by Strongswan. >>>>> >>>>> Traffic working: >>>>> >>>>> ike=aes256-sha256-modp2048! >>>>> esp=aes128-sha1-modp2048! >>>>> >>>>> Traffic not working: >>>>> >>>>> ike=aes256-sha256-modp2048! >>>>> esp=aes256-sha256-modp2048! >>>>> >>>>> Below combo doesn't work either: >>>>> >>>>> ike=aes256-sha256-modp2048! >>>>> esp=aes128-sha256-modp2048! >>>>> >>>>> >>>>> Also, are above settings good? I'm having AES128 on ESP because with >>>>> AES256 I loose too much througput. Do you have any suggestions for >>>>> change? >>>>> >>>>> > -- ====================================================================== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Networked Solutions HSR University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[INS-HSR]==
smime.p7s
Description: S/MIME Cryptographic Signature