Re: [strongSwan] Strongswan 4.2.14 broken on ARM ?

[Graham Hudspith]

> I've removed any reads to unaligned integers in the parser code [1],
generator looks OK so far. I don't have an ARM box, so any feedback is
very welcome.
>
> Thanks
> Martin
>
> [1]http://wiki.strongswan.org/repositories/diff/strongswan?rev=42748858
>
>

Martin,

Thanks for that patch.

With a small bit of adjustment, I managed to apply the patch to my
copy of the 4.2.14 code, :-), and rebuild.

It seems to work fine, so far.

I did have a small problem the first time I brought the ARM up, in
that the initial SA came up fine but then something started creating LOTS
of child SAs. I pulled the plug on the ARM box after we got to 100 child
SAs. Unfortunately, I did not have any charon logging turned on, so had no
logs to comb through.

Since then, restarting the ARM box and bringing up the connection has
exhibited no problems (and no unwanted child SAs).

So, looking good (but feeling slightly nervous about it needing wider
testing).

Regards,

Graham.







___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] Which plugins do what and which can I leave out?

[Graham Hudspith]

Dear All,

I've tried finding information on the plugins used by strongSwan and
have failed miserably. I'm hoping someone here can please throw some
light on the matter.

We're using eap-sim and eap-aka mechanisms to set up the tunnel. So
I have configured and built strongSwan with --disable-pluto to save
space in the installation.

We've also got openssl already installed, so I've also built with
--enable-openssl.

Now I'm looking to trim back the strongSwan plugins we don't need to
build and install.

Part 1
==

Which plugins can I get rid of when openssl is being used ?

I tried adding openssl to the list of plugins in strongswan.conf and
removing the following:

aes des sha1 sha2 md5 gmp xcbc fips-prf

However, with these removed, the tunnel does not come up. A little
experimentation shows that I have to add fips-prf (okay, I can
understand this one) and sha1 back in.

Why do I need to add sha1 back in ?

Doesn't the openssl plugin provide the same sha1 capability (via
openssl) ?

Part 2
==

Is there a description anywhere of what the various plugins do ?

Which plugins require other plugins ?

Which can be removed when using openssl ?

If I use "fips-prf", can I remove "random" ? Or are they not
alternatives ?

It would also be useful if the UML tests included strongswan.conf
files that indicated the minimum/specific list of plugins required
per test rather than seeming to include the "standard set" plus any
specialist ones required.

There is a page in the strongSwan wiki here
 which
lists the cipher suites supported for IKEv2. Does this show that
/only/ the algorithms marked with an "o" will be picked up from
openssl when the openssl plugin is used ? And that no other
algorithms which are *not* marked with an "o" will be picked up from
openssl (e.g. sha1 will not come from openssl) ?

Hope these questions aren't too noob for everyone!

Graham.

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users