StrongSwan: Encryption not supported

Introduction

IPSec always sounded like a nightmare to me, at least, as a long time user of OpenVPN I never understood why it is so complicated.

But hello GCE, AWS and customer asking me to join on-premise networks to their cloud provider. There’s no alternative here, but IPSec. If you don’t want to do it on Cisco (or assimilated devices) there’s StrongSwan on Linux but there’s a huge pitfall and I wanted to write about it.

Usually, you start having cipher negotiation issue and StrongSwan logging is to say the least, not helpful.

Debian tricked me

Today I was connecting a Google Cloud to a Debian-based gateway with StrongSwan and as expected I got cipher issue:

So the first question was, is AES_GCM_16 not supported on my side or on Google side ? Cryptic messages did not help but I assumed it was on my side as when it comes from the other side the message is usually “NO_PROPOSAL_CHOSEN”.

How do I check supported ciphers ?

Indeed, I cannot see anything related to GCM, looks being the root of my issue.

Investigations and resolution

I wanted to verify first if this cipher is supposed to be supported by StrongWan and found the answer here:

https://wiki.strongswan.org/projects/strongswan/wiki/IKEv2CipherSuites

It needs “aes” and “gcm” plugins, so let’s read more about StrongSwan plugins

https://wiki.strongswan.org/projects/strongswan/wiki/PluginList

Ok that’s interresting. Aes should be ok, but gcm is disabled by default. I need to check what Debian did here, and verify the gcm plugin is enabled.

Debian developers usually store their packaging files on Debian’s internal public GitLab server which is called Salsa. Strongswan packaging is hosted here, so it was easy to check:

https://salsa.debian.org/debian/strongswan/blob/debian/master/debian/rules

debian/rules file is in charge of building the package, so this is what you want to check for options passed ton autotools configure script. Here we can clearly see gcm plugin is explicitly enabled.

I also checked debian/changelog to be sure it was already enabled in the stable version of the package which is available on Debian Buster, and yes, it was…

So why do I missed it ?

I check installed strongswan packages and found *libstrongswan*, let’s see it content

This is very interesting ! The aes plugin file is here, but no gcm one. Let’s check if it’s available (i’ll just guess its name) anywhere in the Debian archive ?

I felt stupid here… This is quite common in Debian to separate the “standard” files from the “minimal” ones.

After installing the package and restarting strongswan the list of supported cipher is quite different:

And the VPN now works !

Leave a Reply

Your email address will not be published. Required fields are marked *