Hi Lakshmi, SHA-256 was implemented incorrectly for ESP with a 96 bit instead of the standard 128 bit truncation in Linux kernels older than 2.6.33.
Workarounds: 1) Update to a kernel >= 2.6.33 (2.6.21 is ancient!) 2) If you run strongSwan on both VPN end points you can select the incorrect non-standard 96 bit truncation size by configuring esp=aes128-sha256_96 In order for this non-standard algorithm ID to be accepted it might also be necessary to activate the sending of the strongSwan vendor id by setting charon { send_vendor_id = yes } in /etc/strongswan.conf Regards Andreas On 12.08.2016 03:04, Lakshmi Prasanna wrote:
Experts, Need urgent help. When I try to use strongswan with SHA256, I see that the negotiation fails at child SA creation time. I am using strongSwan 5.1.3, Linux 2.6.21 version). Following is the log: arsed CREATE_CHILD_SA response 4 [ N(USE_TRANSP) SA No TSi TSr ] received netlink error: Invalid argument (22) unable to add SAD entry with SPI c28f19c1 received netlink error: Invalid argument (22) unable to add SAD entry with SPI c088894f unable to install inbound and outbound IPsec SA (SAD) in kernel failed to establish CHILD_SA, keeping IKE_SA sending DELETE for ESP CHILD_SA with SPI c28f19c1 I have already tried the changes mentioned in https://lists.strongswan.org/pipermail/users/2013-September/005203.html and it doesnt seem to work. Is there any other fix for this issue? Rgds, Lakshmi
====================================================================== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]==
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users