You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm running a Linksys EA4500 with 17.01-SNAPSHOT r3466-f6907dc. While attempting to configure strongswan to use aes-gcm, I get:
Wed Jul 19 16:18:30 2017 daemon.info : 14[KNL] adding SAD entry with SPI cd903db2 and reqid {1}
Wed Jul 19 16:18:30 2017 daemon.info : 14[KNL] using encryption algorithm AES_GCM_16 with key size 160
Wed Jul 19 16:18:30 2017 daemon.info : 14[KNL] using replay window of 32 packets
Wed Jul 19 16:18:30 2017 daemon.info : 14[KNL] received netlink error: Function not implemented (38)
Wed Jul 19 16:18:30 2017 daemon.info : 14[KNL] unable to add SAD entry with SPI cd903db2
Wed Jul 19 16:18:30 2017 daemon.info : 14[KNL] adding SAD entry with SPI 6109fc7b and reqid {1}
Wed Jul 19 16:18:30 2017 daemon.info : 14[KNL] using encryption algorithm AES_GCM_16 with key size 160
Wed Jul 19 16:18:30 2017 daemon.info : 14[KNL] using replay window of 0 packets
Wed Jul 19 16:18:30 2017 daemon.info : 14[KNL] received netlink error: Function not implemented (38)
Wed Jul 19 16:18:30 2017 daemon.info : 14[KNL] unable to add SAD entry with SPI 6109fc7b
Wed Jul 19 16:18:30 2017 daemon.info : 14[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel
Wed Jul 19 16:18:30 2017 daemon.info : 14[IKE] failed to establish CHILD_SA, keeping IKE_SA
Which leads me to https://wiki.strongswan.org/issues/2121 which then caused me to notice that PACKAGE_kmod-ipsec doesn't pull in kmod-crypto-gcm. Please consider enabling GCM in the default kernel IPsec config.
The text was updated successfully, but these errors were encountered:
This is a good question though: should the ipsec package depend on all possible crypto algorithms? Looking quickly, it's also missing dependencies on ECB, CTR, CCM, which are potentially useful. But for space-constrained devices, it makes sense to pull only the minimal amount of dependencies, and users can then install additional crypto packages if needed.
roysjosh:
I'm running a Linksys EA4500 with 17.01-SNAPSHOT r3466-f6907dc. While attempting to configure strongswan to use aes-gcm, I get:
Wed Jul 19 16:18:30 2017 daemon.info : 14[KNL] adding SAD entry with SPI cd903db2 and reqid {1}
Wed Jul 19 16:18:30 2017 daemon.info : 14[KNL] using encryption algorithm AES_GCM_16 with key size 160
Wed Jul 19 16:18:30 2017 daemon.info : 14[KNL] using replay window of 32 packets
Wed Jul 19 16:18:30 2017 daemon.info : 14[KNL] received netlink error: Function not implemented (38)
Wed Jul 19 16:18:30 2017 daemon.info : 14[KNL] unable to add SAD entry with SPI cd903db2
Wed Jul 19 16:18:30 2017 daemon.info : 14[KNL] adding SAD entry with SPI 6109fc7b and reqid {1}
Wed Jul 19 16:18:30 2017 daemon.info : 14[KNL] using encryption algorithm AES_GCM_16 with key size 160
Wed Jul 19 16:18:30 2017 daemon.info : 14[KNL] using replay window of 0 packets
Wed Jul 19 16:18:30 2017 daemon.info : 14[KNL] received netlink error: Function not implemented (38)
Wed Jul 19 16:18:30 2017 daemon.info : 14[KNL] unable to add SAD entry with SPI 6109fc7b
Wed Jul 19 16:18:30 2017 daemon.info : 14[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel
Wed Jul 19 16:18:30 2017 daemon.info : 14[IKE] failed to establish CHILD_SA, keeping IKE_SA
Which leads me to https://wiki.strongswan.org/issues/2121 which then caused me to notice that PACKAGE_kmod-ipsec doesn't pull in kmod-crypto-gcm. Please consider enabling GCM in the default kernel IPsec config.
The text was updated successfully, but these errors were encountered: