Hi Andreas,
Okey, I see. Thank you for clarifying!
Den 2017-08-04 kl. 20:50, skrev Andreas Steffen:
Hi Dusan,
the only workaround I see is to either upgrade your Linux 2.6
kernel or fall back to a SHA-1 based ESP HMAC.
Regards
Andreas
On 04.08.2017 20:46, Dusan Ilic wrote:
Hi,
Unfortunately, I'm not following you guys :)
Could someone please clarify?
Den 2017-08-04 kl. 19:04, skrev Noel Kuntze:
Hi,
IIRC pfkey still uses the old truncation (It's mentioned in some
relatively recent ticket).
Try using kernel-netlink instead.
Kind regards
Noel
On 04.08.2017 19:02, Andreas Steffen wrote:
Hi Dusan,
hmmm, our documentation says that the correct ESP SHA256_128 HMAC
truncation was introduced with the 2.6.33 kernel but your kernel
might not be a vanilla 2.6.36 kernel:
https://wiki.strongswan.org/projects/strongswan/wiki/IKEv2CipherSuites
(ESP integrity algorithm footnote n)
Regards
Andreas
On 04.08.2017 16:41, Dusan Ilic wrote:
Hi Andreas
One side is 2.6.36 and the other 3.10.20
Den 2017-08-04 kl. 12:48, skrev Andreas Steffen:
Hi Dusan,
this is a Linux kernel issue. Which kernel versions are you running
on the two endpoints?.
Regards
Andreas
On 04.08.2017 12:41, Dusan Ilic wrote:
Hi Noel,
One side is Strongswan 5.2.2 and the other is 5.5.2.
How do I switch?
Den 2017-08-04 kl. 12:25, skrev Noel Kuntze:
the remote peer probably uses the DRAFT variant of sha2-256, which
uses 96 bit truncation. strongSwan uses the actual standardized
variant that truncates to 128 bit.
You can switch between the two in the newest version of strongSwan
On 04.08.2017 12:23, Dusan Ilic wrote:
Hello!
I have a strange issue, with both settings below the tunnel goes up
as it should, but only with SHA1 in ESP traffic goes through.
When I
ping the remote client with ESP SHA256 it times out, even though
the
tunnel reports as being up by Strongswan.
Traffic working:
ike=aes256-sha256-modp2048!
esp=aes128-sha1-modp2048!
Traffic not working:
ike=aes256-sha256-modp2048!
esp=aes256-sha256-modp2048!
Below combo doesn't work either:
ike=aes256-sha256-modp2048!
esp=aes128-sha256-modp2048!
Also, are above settings good? I'm having AES128 on ESP because
with
AES256 I loose too much througput. Do you have any suggestions for
change?
