[Openswan Users] How to change PRF (pseudo random function) in openswan.

Chintagunta, Murali Mohan Chakravarthy (HPUX-Network Security) murali-mohan.chakravarthy at hp.com
Wed Mar 14 01:20:25 EDT 2012 

Thanks Paul, That worked !! 

In HP-UX we can configure PRF separately, it doesn't pick up from ike= setting. 

I changed ike= setting to 3des-sha1;dh24 it worked.

        esp mode=transport spi=361740825(0x158fba19) reqid=16385(0x00004001)
        E: 3des-cbc  0886ef4b 49f12008 e7c15f3c c0ca6587 0810f788 84c8bd75
        A: hmac-md5  fd84576a 8bf9dee1 a0c1fadb 3dd211ae
        seq=0x00000000 replay=32 flags=0x00000000 state=mature
        created: Mar 14 10:35:15 2012   current: Mar 14 10:35:25 2012
        diff: 10(s)     hard: 0(s)      soft: 0(s)
        last:                           hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        sadb_seq=1 pid=4210 refcnt=0


        esp mode=transport spi=1730622(0x001a683e) reqid=16385(0x00004001)
        E: 3des-cbc  53386f36 edb42c3b 2e25d9a2 4b3c5d04 d2885575 ed08e7be
        A: hmac-md5  cc74392c 4e322116 b8e98784 33d7f1aa
        seq=0x00000000 replay=32 flags=0x00000000 state=mature
        created: Mar 14 10:35:15 2012   current: Mar 14 10:35:25 2012
        diff: 10(s)     hard: 0(s)      soft: 0(s)
        last:                           hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        sadb_seq=0 pid=4210 refcnt=0



Thanks a lot. 
Murali 

-----Original Message-----
From: Paul Wouters [mailto:paul at nohats.ca] 
Sent: Tuesday, March 13, 2012 8:49 PM
To: Chintagunta, Murali Mohan Chakravarthy (HPUX-Network Security)
Cc: users at lists.openswan.org
Subject: Re: [Openswan Users] How to change PRF (pseudo random function) in openswan.

On Tue, 13 Mar 2012, Chintagunta, Murali Mohan Chakravarthy (HPUX-Network Security) wrote:

> I was trying IKEV2 interop tests between openswan and hpux.
> 
> I found that SA negotiation failed because of mismatch of the PRF function.
> 
> By default HP-UX supports either HMAC-SHA1, it can additionally also support AES-XCBC as  PRF.  But, openswan is  offering  HMAC-MD5 by default.  Hence the SA nego failed.

> Can anyone please let me know if there a way to change the default PRF on openswan ??  It would be great if someone can point to any documentation.

I thought we picked the prf based on the ike= setting?

So setting ike=aes-sha1 I believe will also set the PRF to hmac-sha1

Paul

More information about the Users mailing list