No ping on StrongSwan IPSec in HMAC-SHA256, ping works in HMAC-SHA1

0

I have the following situation:

I set up an IPSec tunnel between Ubuntu and Embedded Linux system according to the configuration below. I start IPSec and a tunnel established successfully with HMAC-SHA256 authentication, but 'ping' does not work in both ways (left-2-right and right-2-left). HMAC-SHA384/512 doesn't work either.

If I change the authentication method to SHA1, the ping works just fine.

# cat /etc/ipsec.conf 
# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
        charondebug="all"
        uniqueids=yes
        strictcrlpolicy=no
conn %default
conn tunnel
        left=192.168.1.3
        right=192.168.1.1
        ike=aes256-sha2_256-modp1024!
        ah=sha256
        keyingtries=0
        ikelifetime=1h
        lifetime=8h
        dpddelay=30
        dpdtimeout=120
        dpdaction=restart
        authby=secret
        auto=start
        keyexchange=ikev2
        type=transport

# cat /etc/ipsec.secrets 
192.168.1.3 192.168.1.1 : PSK 'test12345'

# ipsec statusall
Status of IKE charon daemon (strongSwan 5.8.1, Linux 4.19.72, mips64):
  uptime: 93 seconds, since Jan 01 18:27:08 1970
  malloc: sbrk 2654208, mmap 0, used 339824, free 2314384
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 4
  loaded plugins: charon random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 revocation hmac stroke kernel-netlink socket-default updown
Listening IP addresses:
  192.168.1.3
Connections:
      tunnel:  192.168.1.3...192.168.1.1  IKEv2, dpddelay=30s
      tunnel:   local:  [192.168.1.3] uses pre-shared key authentication
      tunnel:   remote: [192.168.1.1] uses pre-shared key authentication
      tunnel:   child:  dynamic === dynamic TRANSPORT, dpdaction=restart
Security Associations (1 up, 0 connecting):
      tunnel[1]: ESTABLISHED 93 seconds ago, 192.168.1.3[192.168.1.3]...192.168.1.1[192.168.1.1]
      tunnel[1]: IKEv2 SPIs: 3a0582084fdc1d9b_i* 9d8dcd5f66126a18_r, pre-shared key reauthentication in 39 minutes
      tunnel[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
      tunnel{1}:  INSTALLED, TRANSPORT, reqid 1, AH SPIs: c5faf844_i c4574271_o
      tunnel{1}:  HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o, rekeying in 7 hours
      tunnel{1}:   192.168.1.3/32 === 192.168.1.1/32

# ip xfrm state
src 192.168.1.3 dst 192.168.1.1
        proto ah spi 0xc4574271 reqid 1 mode transport
        replay-window 0 flag align4
        auth-trunc hmac(sha256) 0x59aabf790413ccfcb9f7305b503270d50ab55a6d3780c5db00ec44894a92b7ac 128
        anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
        sel src 192.168.1.3/32 dst 192.168.1.1/32 
src 192.168.1.1 dst 192.168.1.3
        proto ah spi 0xc5faf844 reqid 1 mode transport
        replay-window 32 flag align4
        auth-trunc hmac(sha256) 0x15dd2781d6885c1e1310e1d0649c8e87a31746189d804841bc203b500e8d8bad 128
        anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
        sel src 192.168.1.1/32 dst 192.168.1.3/32 
ipsec
strongswan
asked on Server Fault Apr 19, 2020 by user2234234

0 Answers

Nobody has answered this question yet.


User contributions licensed under CC BY-SA 3.0