<div dir="ltr">Thanks everyone.<div><br><div>While I was away my colleague got the other side to just switch to sha1 and the tunnel came up.</div></div><div><br></div><div>Cheers,</div><div><br></div><div>--Amos</div></div><div class="gmail_extra"><br><div class="gmail_quote">On 27 April 2016 at 21:15, Amos Shapira <span dir="ltr"><<a href="mailto:amos.shapira@gmail.com" target="_blank">amos.shapira@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Thanks. I'll try that when I get back to the office.</div><div class="gmail_extra"><div><div class="h5"><br><div class="gmail_quote">On 26 April 2016 at 21:55, Daniel Cave <span dir="ltr"><<a href="mailto:dan.cave@me.com" target="_blank">dan.cave@me.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div>Hi Amos.</div><div><br></div><div>I found this document -which should help give you some clues what the Juniper side is expecting.</div><div><a href="http://kb.juniper.net/InfoCenter/index?page=content&id=KB10100&actp=search" target="_blank">http://kb.juniper.net/InfoCenter/index?page=content&id=KB10100&actp=search</a></div><div><br></div><div>In an attempt to be helpful,  I would also look for examples - if you run ipsec auto status, the first head of messages give you the phase 1/2 cyphers/algo's it supports, if your config has the correct settings, then my guess of why it isn't connecting is that the remote peer doesn't correctly support it.  </div><div><br></div><div>When this has happened to me before I've suggested the remote end use 3des-sha1 but don't specify the phase 1 & 2 algo's in your config file, let the OpenSwan daemon try and work out the connection itself, as it will try the highest and drop down until it's successfully negotiated</div><div><br>Failing that  -I would suggest that you look to the support people at your remote peer side using the Juniper and ask them what they are seeing and how they've got their end configured. ( if you haven't already ) -  Also you have no idea of what version of firmware they are using on the SRX device, most third parties i've dealt with won't tell you at all because they're aware of pending security vulnerabilities, so just tell you 'its a cisco/juniper/OEM/other device'  </div><div><br></div><div>The fact you've got the phase 1 & phase 2 lifetimes set to be the same, doesn't seem correct to me, usually the phase 1 - what normally happens is if you have both of them set at the same expiry, the tunnel appears to flap when they're due to be renewed and the tunnel drops out temporarily (from what i've seen - however you might want to bear this in mind as technically the pending expiry should handle this and the tunnel *should* stay up</div><div><br></div><div>I've discovered that the IKE lifetime should be higher and phase2 is lower. these values work for me and were validated to the Cisco ASA/5000 VPN we connected  to  .</div><div><span style="color:#263238;font-family:arial,sans-serif;font-size:13px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:16px;text-align:left;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;display:inline!important;float:none">###############################</span><br style="outline:none;color:#263238;font-family:arial,sans-serif;font-size:13px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:16px;text-align:left;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><span style="color:#263238;font-family:arial,sans-serif;font-size:13px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:16px;text-align:left;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;display:inline!important;float:none"># Settings</span><br style="outline:none;color:#263238;font-family:arial,sans-serif;font-size:13px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:16px;text-align:left;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><span style="color:#263238;font-family:arial,sans-serif;font-size:13px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:16px;text-align:left;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;display:inline!important;float:none">###############################</span><br style="outline:none;color:#263238;font-family:arial,sans-serif;font-size:13px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:16px;text-align:left;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><span style="color:#263238;font-family:arial,sans-serif;font-size:13px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:16px;text-align:left;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;display:inline!important;float:none">   ike=3des-md5</span><br style="outline:none;color:#263238;font-family:arial,sans-serif;font-size:13px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:16px;text-align:left;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><span style="color:#263238;font-family:arial,sans-serif;font-size:13px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:16px;text-align:left;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;display:inline!important;float:none">   phase2alg=3des-md5</span><br style="outline:none;color:#263238;font-family:arial,sans-serif;font-size:13px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:16px;text-align:left;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><span style="color:#263238;font-family:arial,sans-serif;font-size:13px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:16px;text-align:left;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;display:inline!important;float:none">   phase2=esp</span><br style="outline:none;color:#263238;font-family:arial,sans-serif;font-size:13px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:16px;text-align:left;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><span style="color:#263238;font-family:arial,sans-serif;font-size:13px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:16px;text-align:left;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;display:inline!important;float:none">###############################</span><br style="outline:none;color:#263238;font-family:arial,sans-serif;font-size:13px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:16px;text-align:left;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><span style="color:#263238;font-family:arial,sans-serif;font-size:13px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:16px;text-align:left;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;display:inline!important;float:none">   ikelifetime=86400s</span><br style="outline:none;color:#263238;font-family:arial,sans-serif;font-size:13px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:16px;text-align:left;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><span style="color:#263238;font-family:arial,sans-serif;font-size:13px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:16px;text-align:left;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;display:inline!important;float:none">#    keyexchange=ike</span><br style="outline:none;color:#263238;font-family:arial,sans-serif;font-size:13px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:16px;text-align:left;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><span style="color:#263238;font-family:arial,sans-serif;font-size:13px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:16px;text-align:left;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;display:inline!important;float:none">   keylife=28800s</span></div><div><br style="outline:none;color:#263238;font-family:arial,sans-serif;font-size:13px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:16px;text-align:left;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">Hope that helps</div><div><br></div><div>dan</div><div><div><div><br>On Apr 26, 2016, at 06:24 AM, Amos Shapira <<a href="mailto:amos.shapira@gmail.com" target="_blank">amos.shapira@gmail.com</a>> wrote:<br><br></div></div></div><div><blockquote type="cite"><div><div><div><div dir="ltr">I have to condifer openswan 2.6.38 with Juniper SRX 1500 with the following connection parameters (dictated by the other party):<div><br></div><div><div><div>Phase 1 Properties<br></div><div>IKE Version<span style="white-space:pre-wrap"> </span>v2<span style="white-space:pre-wrap"> </span></div><div>Authentication Method<span style="white-space:pre-wrap"> </span>Pre-Shared Secret <span style="white-space:pre-wrap"> </span></div><div>Encryption Scheme<span style="white-space:pre-wrap"> </span>IKE<span style="white-space:pre-wrap"> </span></div><div>Perfect Fwd Secrecy – IKE<span style="white-space:pre-wrap"> </span>DH Group 14<span style="white-space:pre-wrap"> </span></div><div>Encryption Algorithm – IKE <span style="white-space:pre-wrap"> </span>AES256<span style="white-space:pre-wrap"> </span></div><div>Hashing Algorithm – IKE<span style="white-space:pre-wrap"> </span>SHA256<span style="white-space:pre-wrap"> </span></div><div>Renegotiate IKE SA time<span style="white-space:pre-wrap"> </span>28800 seconds <span style="white-space:pre-wrap"> </span></div><div><br></div><div><br></div><div>Phase 2 Properties<span style="white-space:pre-wrap"> </span>CK Parameters<span style="white-space:pre-wrap"> </span>covata Parameters</div><div>Transform (IPSEC Protocol)<span style="white-space:pre-wrap"> </span>ESP<span style="white-space:pre-wrap"> </span></div><div>Perfect Fwd Secrecy - IPSEC<span style="white-space:pre-wrap"> </span>DH Group 14<span style="white-space:pre-wrap"> </span></div><div>Encryption Algorithm - IPSEC<span style="white-space:pre-wrap"> </span>AES256<span style="white-space:pre-wrap"> </span></div><div>Hashing Algorithm - IPSEC<span style="white-space:pre-wrap"> </span>SHA1 <span style="white-space:pre-wrap"> </span></div><div>Renegotiate IPSEC SA time<span style="white-space:pre-wrap"> </span>28800 seconds <span style="white-space:pre-wrap"> </span></div></div><div><span style="white-space:pre-wrap"><br></span></div><div><span style="white-space:pre-wrap">I'm trying to translate this to "openswan configuration speak" but hit a problem with the Phase 1 settings.</span></div><div><span style="white-space:pre-wrap"><br></span></div><div><span style="white-space:pre-wrap">I tried to set it with:</span></div><div><span style="white-space:pre-wrap"><br></span></div><div><span style="white-space:pre-wrap">    ike=aes256-sha256;modp2048</span></div><div><span style="white-space:pre-wrap">    ikelifetime=8h</span></div><div><span style="white-space:pre-wrap">    salifetime=8h</span></div><div><span style="white-space:pre-wrap">    type=tunnel</span></div><div><span style="white-space:pre-wrap">    authby=secret</span></div><div><span style="white-space:pre-wrap">    forceencaps=yes</span></div><div><span style="white-space:pre-wrap">    auto=start</span></div><div><span style="white-space:pre-wrap">    left=%defaultroute</span></div><div><span style="white-space:pre-wrap">    leftid=xx</span></div><div><span style="white-space:pre-wrap">    leftnexthop=%defaultroute</span></div><div><span style="white-space:pre-wrap">    leftsubnet=yy</span></div><div><span style="white-space:pre-wrap">    right=zz</span></div><div><span style="white-space:pre-wrap">    rightid=zz</span></div><div><span style="white-space:pre-wrap">    rightsubnets={aaaaa}</span></div><div><span style="white-space:pre-wrap">    pfs=yes</span></div><div><span style="white-space:pre-wrap">    phase2=esp</span></div><div><span style="white-space:pre-wrap">    phase2alg=aes256-sha1;modp2048</span></div><div><span><span style="white-space:pre-wrap">    mtu=1360</span></span></div><div><br></div><div>But the tunnel doesn't come up and the system log has the line:</div><div><br></div><div>esp string error: hash_alg not found, enc_alg="aes", auth_alg="sha256", modp="modp2048"<br></div><div><br></div><div>I suppose I'm not specifying the sha256 correctly but I didn't find the right way. What is it?</div><div><br></div><div>Thanks,</div><div><br></div><div>--Amos</div><div><div dir="ltr"><br></div></div></div></div></div></div><div><span>_______________________________________________<br><a href="mailto:Users@lists.openswan.org" target="_blank">Users@lists.openswan.org</a><br><a href="https://lists.openswan.org/mailman/listinfo/users" target="_blank">https://lists.openswan.org/mailman/listinfo/users</a><br>Micropayments: <a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy" target="_blank">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a><br>Building and Integrating Virtual Private Networks with Openswan:<br><a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a></span></div></div></blockquote></div></div></blockquote></div><br><br clear="all"><div><br></div></div></div><span class="HOEnZb"><font color="#888888">-- <br><div><div dir="ltr"><a href="http://au.linkedin.com/in/gliderflyer" target="_blank"><img src="https://static.licdn.com/scds/common/u/img/webpromo/btn_viewmy_160x25.png"></a><br></div></div>
</font></span></div>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr"><a href="http://au.linkedin.com/in/gliderflyer" target="_blank"><img src="https://static.licdn.com/scds/common/u/img/webpromo/btn_viewmy_160x25.png"></a><br></div></div>
</div>