[Openswan Users] How to change PRF (pseudo random function) in openswan.

Chintagunta, Murali Mohan Chakravarthy (HPUX-Network Security) murali-mohan.chakravarthy at hp.com
Tue Mar 13 10:15:15 EDT 2012


I was trying IKEV2 interop tests between openswan and hpux.

I found that SA negotiation failed because of mismatch of the PRF function.

By default HP-UX supports either HMAC-SHA1, it can additionally also support AES-XCBC as  PRF.  But, openswan is  offering  HMAC-MD5 by default.  Hence the SA nego failed.

Can anyone please let me know if there a way to change the default PRF on openswan ??  It would be great if someone can point to any documentation.

| proposal 1 succeeded encr= (policy:3des vs offered:3des)
|             succeeded integ=(policy:auth-hmac-md5-96 vs offered:auth-hmac-md5-96)
|             failed prf=  (policy:prf-hmac-md5 vs offered:prf-hmac-sha1)
|             succeeded dh=   (policy:OAKLEY_GROUP_MODP1024 vs offered:OAKLEY_GROUP_MODP1024)
| complete v2 state transition with (null)
| state transition function for STATE_PARENT_R1 failed: NO_PROPOSAL_CHOSEN

Thanks a lot,

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.openswan.org/pipermail/users/attachments/20120313/29d1a163/attachment.html>

More information about the Users mailing list