Question

We have successfully deployed ipsec tunnels using SHA-512 with RUT950 and RUT900 on one side and OpenBSD's iked on the other. Recently bought RUT240 allows to choose SHA-512 in the WebUI for authentication/hash algorithm, respectively for Phase1/Phase2. Device configured in such a way drops ipsec connection, because there is no sha-512 support in the kernel.

Firmware RUT2XX_R_00.01.12

Logs:

Mon Apr 6 17:28:33 2020 daemon.info ipsec: 13[KNL] received netlink error: Function not implemented (89)
Mon Apr 6 17:28:33 2020 daemon.info ipsec: 13[KNL] unable to add SAD entry with SPI c817e6f5 (FAILED)
Mon Apr 6 17:28:33 2020 daemon.info ipsec: 13[KNL] received netlink error: Function not implemented (89)
Mon Apr 6 17:28:33 2020 daemon.info ipsec: 13[KNL] unable to add SAD entry with SPI d1991994 (FAILED)
Mon Apr 6 17:28:33 2020 daemon.info ipsec: 13[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel
Mon Apr 6 17:28:33 2020 daemon.info ipsec: 13[IKE] failed to establish CHILD_SA, keeping IKE_SA

Checks:

root@Teltonika-RUT240:~# lsmod | grep sha
crypto_hash 9746 7 ah6,ah4,sha256_generic,sha1_generic,md5,hmac,authenc
sha1_generic 1459 0
sha256_generic 9109 0

root@Teltonika-RUT240:~# opkg list | grep sha
kmod-crypto-sha1 - 3.18.44-1
kmod-crypto-sha256 - 3.18.44-1
strongswan-mod-sha1 - 5.6.2-1
strongswan-mod-sha2 - 5.6.2-1

After downgrade to SHA-256 on both sides of the connection we still experience problems, but i'll fill another ticket for it.

Answer 1

Hello,

Thank you for information about this issue, we are testing, and looking into it. I hope I will be able to give you some information in near future.

Best regards,
VidasKac

Comments

Hi,

did you find anything. We experienced something similar with RUT240. If we configure SHA512 on Phase 2 on an IPsec tunnel, the tunnel can't be established. It's working with SHA256.

Best regards,

Mark