<div dir="ltr">I have to condifer openswan 2.6.38 with Juniper SRX 1500 with the following connection parameters (dictated by the other party):<div><br></div><div><div><div>Phase 1 Properties<br></div><div>IKE Version<span class="" style="white-space:pre"> </span>v2<span class="" style="white-space:pre"> </span></div><div>Authentication Method<span class="" style="white-space:pre"> </span>Pre-Shared Secret <span class="" style="white-space:pre"> </span></div><div>Encryption Scheme<span class="" style="white-space:pre"> </span>IKE<span class="" style="white-space:pre"> </span></div><div>Perfect Fwd Secrecy – IKE<span class="" style="white-space:pre"> </span>DH Group 14<span class="" style="white-space:pre"> </span></div><div>Encryption Algorithm – IKE <span class="" style="white-space:pre"> </span>AES256<span class="" style="white-space:pre"> </span></div><div>Hashing Algorithm – IKE<span class="" style="white-space:pre"> </span>SHA256<span class="" style="white-space:pre"> </span></div><div>Renegotiate IKE SA time<span class="" style="white-space:pre"> </span>28800 seconds <span class="" style="white-space:pre"> </span></div><div><br></div><div><br></div><div>Phase 2 Properties<span class="" style="white-space:pre"> </span>CK Parameters<span class="" style="white-space:pre"> </span>covata Parameters</div><div>Transform (IPSEC Protocol)<span class="" style="white-space:pre"> </span>ESP<span class="" style="white-space:pre"> </span></div><div>Perfect Fwd Secrecy - IPSEC<span class="" style="white-space:pre"> </span>DH Group 14<span class="" style="white-space:pre"> </span></div><div>Encryption Algorithm - IPSEC<span class="" style="white-space:pre"> </span>AES256<span class="" style="white-space:pre"> </span></div><div>Hashing Algorithm - IPSEC<span class="" style="white-space:pre"> </span>SHA1 <span class="" style="white-space:pre"> </span></div><div>Renegotiate IPSEC SA time<span class="" style="white-space:pre"> </span>28800 seconds <span class="" style="white-space:pre"> </span></div></div><div><span class="" style="white-space:pre"><br></span></div><div><span class="" style="white-space:pre">I'm trying to translate this to "openswan configuration speak" but hit a problem with the Phase 1 settings.</span></div><div><span class="" style="white-space:pre"><br></span></div><div><span class="" style="white-space:pre">I tried to set it with:</span></div><div><span class="" style="white-space:pre"><br></span></div><div><span style="white-space:pre"> ike=aes256-sha256;modp2048</span></div><div><span style="white-space:pre"> ikelifetime=8h</span></div><div><span style="white-space:pre"> salifetime=8h</span></div><div><span style="white-space:pre"> type=tunnel</span></div><div><span style="white-space:pre"> authby=secret</span></div><div><span style="white-space:pre"> forceencaps=yes</span></div><div><span style="white-space:pre"> auto=start</span></div><div><span style="white-space:pre"> left=%defaultroute</span></div><div><span style="white-space:pre"> leftid=xx</span></div><div><span style="white-space:pre"> leftnexthop=%defaultroute</span></div><div><span style="white-space:pre"> leftsubnet=yy</span></div><div><span style="white-space:pre"> right=zz</span></div><div><span style="white-space:pre"> rightid=zz</span></div><div><span style="white-space:pre"> rightsubnets={aaaaa}</span></div><div><span style="white-space:pre"> pfs=yes</span></div><div><span style="white-space:pre"> phase2=esp</span></div><div><span style="white-space:pre"> phase2alg=aes256-sha1;modp2048</span></div><div><span class=""><span style="white-space:pre"> mtu=1360</span></span></div><div><br></div><div>But the tunnel doesn't come up and the system log has the line:</div><div><br></div><div>esp string error: hash_alg not found, enc_alg="aes", auth_alg="sha256", modp="modp2048"<br></div><div><br></div><div>I suppose I'm not specifying the sha256 correctly but I didn't find the right way. What is it?</div><div><br></div><div>Thanks,</div><div><br></div><div>--Amos</div><div class="gmail_signature"><div dir="ltr"><br></div></div>
</div></div>