Hi Thomas,

I haven't upgraded it cause that's not an option, both endpoints are routers with Linux embedded.
Below is the output after some pings from both sides.

Strongswan 5.5.2

ip -s x s s
src 85.24.241.x dst 94.254.123.x
proto esp spi 0xce291943(3458799939) reqid 1(0x00000001) mode tunnel replay-window 0 seq 0x00000000 flag nopmtudisc af-unspec (0x00100100) auth-trunc hmac(sha256) 0xc45dd8403c10cfd32f8fe74003cc80a309b7a0decb185826ef62ac1763ae4bcd (256 bits) 128 enc cbc(aes) 0x0abb9115383986028a844ff1e71bd0f55aa22099d76785b288803ed7204aa23e (256 bits)
        lifetime config:
          limit: soft (INF)(bytes), hard (INF)(bytes)
          limit: soft (INF)(packets), hard (INF)(packets)
          expire add: soft 2762(sec), hard 3600(sec)
          expire use: soft 0(sec), hard 0(sec)
        lifetime current:
          1416(bytes), 25(packets)
          add 2017-08-06 20:08:26 use 2017-08-06 20:08:31
        stats:
          replay-window 0 replay 0 failed 0
src 94.254.123.x dst 85.24.241.x
proto esp spi 0xc9359a4e(3375733326) reqid 1(0x00000001) mode tunnel replay-window 32 seq 0x00000000 flag nopmtudisc af-unspec (0x00100100) auth-trunc hmac(sha256) 0xfe9408ba634fe4276972fa79c9b60f12bffc766434298cb25738396d2b94dda9 (256 bits) 128 enc cbc(aes) 0x1fd6fd06781cee3bab6ed97a2f01793eded22f7360691430fdfb604c4e424066 (256 bits)
        lifetime config:
          limit: soft (INF)(bytes), hard (INF)(bytes)
          limit: soft (INF)(packets), hard (INF)(packets)
          expire add: soft 2895(sec), hard 3600(sec)
          expire use: soft 0(sec), hard 0(sec)
        lifetime current:
          0(bytes), 0(packets)
          add 2017-08-06 20:08:26 use 2017-08-06 20:08:28
        stats:
          replay-window 0 replay 0 failed 49

Strongswan 5.2.2

ip -s x s s
src 94.254.123.x dst 85.24.241.x
proto esp spi 0xc9359a4e(3375733326) reqid 1(0x00000001) mode tunnel

Den 2017-08-06 kl. 16:49, skrev Thomas Egerer:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Dusan,

if you haven't yet updated your kernel, we might shed some light on
the problem. Set up the tunnel with SHA256 and send a couple of
packets from both sides. Then provide the output of
'ip -s x s s'

Cheers,
Thomas


On 08/04/2017 12:23 PM, Dusan Ilic wrote:
Hello!

I have a strange issue, with both settings below the tunnel goes up as it 
should, but only with SHA1 in ESP traffic goes through. When I ping the remote 
client with ESP SHA256 it times out, even though the tunnel reports as being up 
by Strongswan.

Traffic working:

ike=aes256-sha256-modp2048!
esp=aes128-sha1-modp2048!

Traffic not working:

ike=aes256-sha256-modp2048!
esp=aes256-sha256-modp2048!

Below combo doesn't work either:

ike=aes256-sha256-modp2048!
esp=aes128-sha256-modp2048!


Also, are above settings good? I'm having AES128 on ESP because with AES256 I 
loose too much througput. Do you have any suggestions for change?


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJZhyx2AAoJEGK31ONirBTGzcsP/1V6Ej3yIVM0YC4rcghhvlDs
YMrjrUJgQV98S9Vu52a/SF3bddJ7YlG1LawboQAQqW5j2dYugDubDdULmWEHwUwb
BdlY7RURKh5pDK+xYwgzuLrFmZtSddKfsDzzv5Ii9VmG1VkM+yyeqBqZn2DfeWeX
K1JFe9AvI+5sFcwciLdh3SxRMI3rEKZTj17LnqLS/EMJoOn+jqmhBGGPkBkJDSOn
VVRVh5atnPcM/CUsNoTF18pvhttejsD3aZSGpKvowQPuj6fut+aVn9ANnXodsME1
tITleiiRSWOYrKT66wC5Yo23GhaMXBQWjGWd1r5z+FP4EVzRH6Ofia6QwNGHF71H
t6ZN2ndBRjk1nQYHu7UdUKT/PECsxTn1sWCKHpgv6cSnWzVe0NULEgWsZ3+kv5R7
g4R+lSiPWcBXTz+jSYmVP9y4WnkDIKg1aHHhkCI/m/crNSGKuLZkyDsGHmxzC2+f
lXawcBX1y3P5lvAgHM8M541MA5AwJ5ZUtLoL8o6ME6mP+ojqhm0y4iC1CTUXLiq/
vl/LvZbYYym03LhMyFkFNAmQZ0I7eJJJsXOpLDa75s1ZqsGITwJWRvE3/Lng2fq7
2RVIiMLsScxC9T6roU5cQ/TlcmIIvD4UN4o5WR8V6Vu3RLJrrzUDJE7ypNevmxKa
GZwdsPHqskLfafxSG2X5
=vURY
-----END PGP SIGNATURE-----

Reply via email to