Community discussions

 
g22113
just joined
Topic Author
Posts: 9
Joined: Sat Aug 19, 2017 3:21 pm

IPsec EC

Sat Aug 19, 2017 3:30 pm

Hi,

Happy to see that there's finally support for ECDH groups in IPsec, but there seem to be compatibility issues with strongSwan (5.6.0):
charon[935]: 15[ENC] invalid DH public value size (65 bytes) for ECP_256
charon[935]: 09[ENC] invalid DH public value size (97 bytes) for ECP_384
charon[935]: 11[ENC] invalid DH public value size (133 bytes) for ECP_521
According to crypto/diffie_hellman.c, strongSwan expects one byte less (64, 96, or 132) than RouterOS is trying to send...
 
User avatar
ziegenberg
Frequent Visitor
Frequent Visitor
Posts: 52
Joined: Thu Mar 07, 2013 11:14 am
Location: Vienna
Contact:

Re: IPsec EC

Mon Aug 21, 2017 11:23 am

Hi,

Happy to see that there's finally support for ECDH groups in IPsec, but there seem to be compatibility issues with strongSwan (5.6.0):
charon[935]: 15[ENC] invalid DH public value size (65 bytes) for ECP_256
charon[935]: 09[ENC] invalid DH public value size (97 bytes) for ECP_384
charon[935]: 11[ENC] invalid DH public value size (133 bytes) for ECP_521
According to crypto/diffie_hellman.c, strongSwan expects one byte less (64, 96, or 132) than RouterOS is trying to send...
Hi!

Maybe you want to post your request as an answer to this post: viewtopic.php?f=21&t=123936&start=50#p613935. And you may send an email to support@mikrotik.com

greetings, Daniel
 
User avatar
emils
MikroTik Support
MikroTik Support
Posts: 507
Joined: Thu Dec 11, 2014 8:53 am

Re: IPsec EC

Mon Aug 21, 2017 3:55 pm

Should be fixed in the next release candidate version (6.41rc17 or later). Please let us know if you experience any issues with this version.
 
g22113
just joined
Topic Author
Posts: 9
Joined: Sat Aug 19, 2017 3:21 pm

Re: IPsec EC

Thu Aug 24, 2017 1:50 pm

Should be fixed in the next release candidate version (6.41rc17 or later). Please let us know if you experience any issues with this version.
Thanks, I tried rc17 and rc18, but:
13[ENC] invalid DH public value size (130 bytes) for ECP_521
13[IKE] remote host is behind NAT
13[IKE] applying DH public value failed
Meanwhile with ecp256 and ecp384:
10[LIB] MAC verification failed
10[ENC] verifying encrypted payload integrity failed
10[ENC] could not decrypt payloads
10[IKE] integrity check failed
10[IKE] IKE_AUTH request with message ID 1 processing failed
(I'm using IKEv2 PSK; so far only tried this with peer configuration, not phase2 proposals yet)
 
User avatar
emils
MikroTik Support
MikroTik Support
Posts: 507
Joined: Thu Dec 11, 2014 8:53 am

Re: IPsec EC  [SOLVED]

Thu Aug 31, 2017 11:37 am

6.41rc21 will contain additional fixes regarding this issue. Please let us know if you experience any issues with this version.

Who is online

Users browsing this forum: No registered users and 64 guests