[Openswan Users] Specifying SHA256?

Amos Shapira amos.shapira at gmail.com
Tue Apr 26 01:22:38 EDT 2016


I have to condifer openswan 2.6.38 with Juniper SRX 1500 with the following
connection parameters (dictated by the other party):

Phase 1 Properties
IKE Version v2
Authentication Method Pre-Shared Secret
Encryption Scheme IKE
Perfect Fwd Secrecy – IKE DH Group 14
Encryption Algorithm – IKE AES256
Hashing Algorithm – IKE SHA256
Renegotiate IKE SA time 28800 seconds


Phase 2 Properties CK Parameters covata Parameters
Transform (IPSEC Protocol) ESP
Perfect Fwd Secrecy - IPSEC DH Group 14
Encryption Algorithm - IPSEC AES256
Hashing Algorithm - IPSEC SHA1
Renegotiate IPSEC SA time 28800 seconds

I'm trying to translate this to "openswan configuration speak" but hit a
problem with the Phase 1 settings.

I tried to set it with:

    ike=aes256-sha256;modp2048
    ikelifetime=8h
    salifetime=8h
    type=tunnel
    authby=secret
    forceencaps=yes
    auto=start
    left=%defaultroute
    leftid=xx
    leftnexthop=%defaultroute
    leftsubnet=yy
    right=zz
    rightid=zz
    rightsubnets={aaaaa}
    pfs=yes
    phase2=esp
    phase2alg=aes256-sha1;modp2048
    mtu=1360

But the tunnel doesn't come up and the system log has the line:

esp string error: hash_alg not found, enc_alg="aes", auth_alg="sha256",
modp="modp2048"

I suppose I'm not specifying the sha256 correctly but I didn't find the
right way. What is it?

Thanks,

--Amos
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20160426/77fbe8e0/attachment.html>


More information about the Users mailing list