[Openswan Users] How to change PRF (pseudo random function) in openswan.

Paul Wouters paul at nohats.ca
Tue Mar 13 11:19:04 EDT 2012

On Tue, 13 Mar 2012, Chintagunta, Murali Mohan Chakravarthy (HPUX-Network Security) wrote:

> I was trying IKEV2 interop tests between openswan and hpux.
> I found that SA negotiation failed because of mismatch of the PRF function.
> By default HP-UX supports either HMAC-SHA1, it can additionally also support AES-XCBC as  PRF.  But, openswan is  offering  HMAC-MD5 by default.  Hence the SA nego failed.

> Can anyone please let me know if there a way to change the default PRF on openswan ??  It would be great if someone can point to any documentation.

I thought we picked the prf based on the ike= setting?

So setting ike=aes-sha1 I believe will also set the PRF to hmac-sha1


More information about the Users mailing list