Discussion:
[strongSwan] How to use af-alg plugin
Roee Agami
2018-08-08 12:58:28 UTC
Permalink
Hi,

I wish to have IKE use the crypto services of the kernel rather than the default user space ones. It was brought to my attention that af-alg plugin allows such behavior.

Now I am trying to build strongSwan with that plugin. I know of this example config:
https://www.strongswan.org/testing/testresults/af-alg/rw-cert/

And was trying to follow it, loading the same plugins listed in Carol’s strongswan.conf (except that I was loading them using the configure script instead of strongswan.conf).

Here is the output of the configure script command:
[cid:***@01D42EF5.F8FD1DB0]

Then I make and make install it, and restart ipsec.
Looking at the logs, I see messages indicating the various plugins are loaded successfully, and the last message I see is that ‘af-alg’ plugin is loaded successfully. I don’t see any other messages after that.

Running ‘ipsec statusall’ doesn’t show any output at all.

So my conclusion is that strongSwan is not running the way I wanted it to.
Can you help me figure out what am I missing?

Thanks,
Roee.
Roee Agami
2018-08-10 12:43:04 UTC
Permalink
Hi,

I wish to have IKE use the crypto services of the kernel rather than the default user space ones. It was brought to my attention that af-alg plugin allows such behavior.

Now I am trying to build strongSwan with that plugin. I know of this example config:
https://www.strongswan.org/testing/testresults/af-alg/rw-cert/

And was trying to follow it, loading the same plugins listed in Carol’s strongswan.conf (except that I was loading them using the configure script instead of strongswan.conf).

Here is the output of the configure script command:

strongSwan will be built with the following plugins
libstrongswan: test-vectors mgf1 random nonce x509 revocation constraints pubkey pkcs1 pem openssl af-alg gmp ctr ccm gcm curl
libcharon: kernel-netlink socket-default stroke vici updown counters
libtnccs:
libtpmtss:

Then I make and make install it, and restart ipsec.
Looking at the logs, I see messages indicating the various plugins are loaded successfully, and the last message I see is that ‘af-alg’ plugin is loaded successfully. I don’t see any other messages after that.

Running ‘ipsec statusall’ doesn’t show any output at all.

So my conclusion is that strongSwan is not running the way I wanted it to.
Can you help me figure out what am I missing?

Thanks,
Roee.
Noel Kuntze
2018-08-10 18:43:26 UTC
Permalink
Hello,

The output of "./configure" only tells you what is built at build time, not what is loaded at run time.
They're complementary. You can't load a plugin that wasn't build. To be able to load a plugin, it has to be built and you need to have it.

Yes, af-alg does what you want. Your expectation to get stuff in the logs when it works is wrong. No crypto plugin ever prints anything regarding the usage, as long as nothing bad/critical happens.
You need to check the output of `ipsec listalgs` to see which plugin provides which algorithms.

Algorithms are provided by the plugin which provides them first relative to when the plugins are loaded when the daemon starts.

Kind regards

Noel
Post by Roee Agami
 
Hi,
 
I wish to have IKE use the crypto services of the kernel rather than the default user space ones. It was brought to my attention that af-alg plugin allows such behavior.
 
https://www.strongswan.org/testing/testresults/af-alg/rw-cert/
 
And was trying to follow it, loading the same plugins listed in Carol’s strongswan.conf (except that I was loading them using the configure script instead of strongswan.conf).
 
 
strongSwan will be built with the following plugins
libstrongswan: test-vectors mgf1 random nonce x509 revocation constraints pubkey pkcs1 pem openssl af-alg gmp ctr ccm gcm curl
libcharon:         kernel-netlink socket-default stroke vici updown counters
 
Then I make and make install it, and restart ipsec.
Looking at the logs, I see messages indicating the various plugins are loaded successfully, and the last message I see is that ‘af-alg’ plugin is loaded successfully. I don’t see any other messages after that.
 
Running ‘ipsec statusall’ doesn’t show any output at all.
 
So my conclusion is that strongSwan is not running the way I wanted it to.
Can you help me figure out what am I missing?
 
Thanks,
Roee.
 
 
--
Noel Kuntze
IT security consultant

GPG Key ID: 0x0739AD6C
Fingerprint: 3524 93BE B5F7 8E63 1372 AF2D F54E E40B 0739 AD6C
Roee Agami
2018-08-10 19:21:27 UTC
Permalink
Thanks Noel,

Since I haven't specified anything in strongswan.conf, I assume that all of the plugins I built will be loaded.
"ipsec listalgs" prints nothing (similar to ipsec statusall).

Also, any swanctl command I run simply hangs and doesn't finish or print anything.

Any idea why?

Roee.

On 8/10/18, 2:43 PM, "Noel Kuntze" <***@thermi.consulting> wrote:

Hello,

The output of "./configure" only tells you what is built at build time, not what is loaded at run time.
They're complementary. You can't load a plugin that wasn't build. To be able to load a plugin, it has to be built and you need to have it.

Yes, af-alg does what you want. Your expectation to get stuff in the logs when it works is wrong. No crypto plugin ever prints anything regarding the usage, as long as nothing bad/critical happens.
You need to check the output of `ipsec listalgs` to see which plugin provides which algorithms.

Algorithms are provided by the plugin which provides them first relative to when the plugins are loaded when the daemon starts.

Kind regards

Noel
Post by Roee Agami
Hi,
I wish to have IKE use the crypto services of the kernel rather than the default user space ones. It was brought to my attention that af-alg plugin allows such behavior.
https://www.strongswan.org/testing/testresults/af-alg/rw-cert/
And was trying to follow it, loading the same plugins listed in Carol’s strongswan.conf (except that I was loading them using the configure script instead of strongswan.conf).
strongSwan will be built with the following plugins
libstrongswan: test-vectors mgf1 random nonce x509 revocation constraints pubkey pkcs1 pem openssl af-alg gmp ctr ccm gcm curl
libcharon: kernel-netlink socket-default stroke vici updown counters
Then I make and make install it, and restart ipsec.
Looking at the logs, I see messages indicating the various plugins are loaded successfully, and the last message I see is that ‘af-alg’ plugin is loaded successfully. I don’t see any other messages after that.
Running ‘ipsec statusall’ doesn’t show any output at all.
So my conclusion is that strongSwan is not running the way I wanted it to.
Can you help me figure out what am I missing?
Thanks,
Roee.
--
Noel Kuntze
IT security consultant

GPG Key ID: 0x0739AD6C
Fingerprint: 3524 93BE B5F7 8
Noel Kuntze
2018-08-10 19:31:14 UTC
Permalink
This post might be inappropriate. Click to display it.
Roee Agami
2018-08-10 20:49:46 UTC
Permalink
This post might be inappropriate. Click to display it.
Continue reading on narkive:
Search results for '[strongSwan] How to use af-alg plugin' (Questions and Answers)
9
replies
How do I permanently get rid of tracking cookies?
started 2011-03-06 14:50:04 UTC
security
Loading...