Hi Eric, > I have a situation where ESP packets appear to be getting mangled on the > remote peer whenever I use SHA2-256-128 for Phase2 (ESP). I can > establish the SAs from the Strongswan to the remote peer no problem. > However, I get no packets returned after establishing the tunnel.
Not sure if this applies here as you didn't mention the kernel versions you are using, but Linux kernels before 2.6.33 incorrectly used a truncation of 96 bit for SHA-256. With strongSwan 4.3.6 we introduced support for the configurable truncation length of newer kernels and the default changed to 128 bit. For compatibility with older kernels we also added a new keyword (sha256_96) to negotiate the incorrect truncation (this uses algorithm identifiers from the private range in IKEv2, so it only works between two strongSwan hosts). In your case the other host might be using the incorrect truncation while the strongSwan host expects a truncation of 128 bit. By the way, Wireshark seems to support both truncations, so you should be able to verify this easily. Regards, Tobias _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users