I have the following situation:
I set up an IPSec tunnel between Ubuntu and Embedded Linux system according to the configuration below. I start IPSec and a tunnel established successfully with HMAC-SHA256 authentication, but 'ping' does not work in both ways (left-2-right and right-2-left). HMAC-SHA384/512 doesn't work either.
If I change the authentication method to SHA1, the ping works just fine.
# cat /etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
charondebug="all"
uniqueids=yes
strictcrlpolicy=no
conn %default
conn tunnel
left=192.168.1.3
right=192.168.1.1
ike=aes256-sha2_256-modp1024!
ah=sha256
keyingtries=0
ikelifetime=1h
lifetime=8h
dpddelay=30
dpdtimeout=120
dpdaction=restart
authby=secret
auto=start
keyexchange=ikev2
type=transport
# cat /etc/ipsec.secrets
192.168.1.3 192.168.1.1 : PSK 'test12345'
# ipsec statusall
Status of IKE charon daemon (strongSwan 5.8.1, Linux 4.19.72, mips64):
uptime: 93 seconds, since Jan 01 18:27:08 1970
malloc: sbrk 2654208, mmap 0, used 339824, free 2314384
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 4
loaded plugins: charon random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 revocation hmac stroke kernel-netlink socket-default updown
Listening IP addresses:
192.168.1.3
Connections:
tunnel: 192.168.1.3...192.168.1.1 IKEv2, dpddelay=30s
tunnel: local: [192.168.1.3] uses pre-shared key authentication
tunnel: remote: [192.168.1.1] uses pre-shared key authentication
tunnel: child: dynamic === dynamic TRANSPORT, dpdaction=restart
Security Associations (1 up, 0 connecting):
tunnel[1]: ESTABLISHED 93 seconds ago, 192.168.1.3[192.168.1.3]...192.168.1.1[192.168.1.1]
tunnel[1]: IKEv2 SPIs: 3a0582084fdc1d9b_i* 9d8dcd5f66126a18_r, pre-shared key reauthentication in 39 minutes
tunnel[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
tunnel{1}: INSTALLED, TRANSPORT, reqid 1, AH SPIs: c5faf844_i c4574271_o
tunnel{1}: HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o, rekeying in 7 hours
tunnel{1}: 192.168.1.3/32 === 192.168.1.1/32
# ip xfrm state
src 192.168.1.3 dst 192.168.1.1
proto ah spi 0xc4574271 reqid 1 mode transport
replay-window 0 flag align4
auth-trunc hmac(sha256) 0x59aabf790413ccfcb9f7305b503270d50ab55a6d3780c5db00ec44894a92b7ac 128
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
sel src 192.168.1.3/32 dst 192.168.1.1/32
src 192.168.1.1 dst 192.168.1.3
proto ah spi 0xc5faf844 reqid 1 mode transport
replay-window 32 flag align4
auth-trunc hmac(sha256) 0x15dd2781d6885c1e1310e1d0649c8e87a31746189d804841bc203b500e8d8bad 128
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
sel src 192.168.1.1/32 dst 192.168.1.3/32
User contributions licensed under CC BY-SA 3.0