Hi Dusan, the only workaround I see is to either upgrade your Linux 2.6 kernel or fall back to a SHA-1 based ESP HMAC.
Regards Andreas On 04.08.2017 20:46, Dusan Ilic wrote: > Hi, > > Unfortunately, I'm not following you guys :) > Could someone please clarify? > > > Den 2017-08-04 kl. 19:04, skrev Noel Kuntze: >> Hi, >> >> IIRC pfkey still uses the old truncation (It's mentioned in some >> relatively recent ticket). >> Try using kernel-netlink instead. >> >> Kind regards >> >> Noel >> >> >> On 04.08.2017 19:02, Andreas Steffen wrote: >>> Hi Dusan, >>> >>> hmmm, our documentation says that the correct ESP SHA256_128 HMAC >>> truncation was introduced with the 2.6.33 kernel but your kernel >>> might not be a vanilla 2.6.36 kernel: >>> >>> https://wiki.strongswan.org/projects/strongswan/wiki/IKEv2CipherSuites >>> >>> (ESP integrity algorithm footnote n) >>> >>> Regards >>> >>> Andreas >>> >>> On 04.08.2017 16:41, Dusan Ilic wrote: >>>> Hi Andreas >>>> >>>> One side is 2.6.36 and the other 3.10.20 >>>> >>>> >>>> Den 2017-08-04 kl. 12:48, skrev Andreas Steffen: >>>>> Hi Dusan, >>>>> >>>>> this is a Linux kernel issue. Which kernel versions are you running >>>>> on the two endpoints?. >>>>> >>>>> Regards >>>>> >>>>> Andreas >>>>> >>>>> On 04.08.2017 12:41, Dusan Ilic wrote: >>>>>> Hi Noel, >>>>>> >>>>>> One side is Strongswan 5.2.2 and the other is 5.5.2. >>>>>> How do I switch? >>>>>> >>>>>> >>>>>> Den 2017-08-04 kl. 12:25, skrev Noel Kuntze: >>>>>>> the remote peer probably uses the DRAFT variant of sha2-256, which >>>>>>> uses 96 bit truncation. strongSwan uses the actual standardized >>>>>>> variant that truncates to 128 bit. >>>>>>> You can switch between the two in the newest version of strongSwan >>>>>>> >>>>>>> On 04.08.2017 12:23, Dusan Ilic wrote: >>>>>>>> Hello! >>>>>>>> >>>>>>>> I have a strange issue, with both settings below the tunnel goes up >>>>>>>> as it should, but only with SHA1 in ESP traffic goes through. >>>>>>>> When I >>>>>>>> ping the remote client with ESP SHA256 it times out, even though >>>>>>>> the >>>>>>>> tunnel reports as being up by Strongswan. >>>>>>>> >>>>>>>> Traffic working: >>>>>>>> >>>>>>>> ike=aes256-sha256-modp2048! >>>>>>>> esp=aes128-sha1-modp2048! >>>>>>>> >>>>>>>> Traffic not working: >>>>>>>> >>>>>>>> ike=aes256-sha256-modp2048! >>>>>>>> esp=aes256-sha256-modp2048! >>>>>>>> >>>>>>>> Below combo doesn't work either: >>>>>>>> >>>>>>>> ike=aes256-sha256-modp2048! >>>>>>>> esp=aes128-sha256-modp2048! >>>>>>>> >>>>>>>> >>>>>>>> Also, are above settings good? I'm having AES128 on ESP because >>>>>>>> with >>>>>>>> AES256 I loose too much througput. Do you have any suggestions for >>>>>>>> change? >>>>>>>> >>>>>>>> > -- ====================================================================== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Networked Solutions HSR University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[INS-HSR]==
smime.p7s
Description: S/MIME Cryptographic Signature