[Openswan Users] Specifying SHA256?
Daniel Cave
dan.cave at me.com
Tue Apr 26 07:55:15 EDT 2016
Hi Amos.
I found this document -which should help give you some clues what the Juniper side is expecting.
http://kb.juniper.net/InfoCenter/index?page=content&id=KB10100&actp=search
In an attempt to be helpful, I would also look for examples - if you run ipsec auto status, the first head of messages give you the phase 1/2 cyphers/algo's it supports, if your config has the correct settings, then my guess of why it isn't connecting is that the remote peer doesn't correctly support it.
When this has happened to me before I've suggested the remote end use 3des-sha1 but don't specify the phase 1 & 2 algo's in your config file, let the OpenSwan daemon try and work out the connection itself, as it will try the highest and drop down until it's successfully negotiated
Failing that -I would suggest that you look to the support people at your remote peer side using the Juniper and ask them what they are seeing and how they've got their end configured. ( if you haven't already ) - Also you have no idea of what version of firmware they are using on the SRX device, most third parties i've dealt with won't tell you at all because they're aware of pending security vulnerabilities, so just tell you 'its a cisco/juniper/OEM/other device'
The fact you've got the phase 1 & phase 2 lifetimes set to be the same, doesn't seem correct to me, usually the phase 1 - what normally happens is if you have both of them set at the same expiry, the tunnel appears to flap when they're due to be renewed and the tunnel drops out temporarily (from what i've seen - however you might want to bear this in mind as technically the pending expiry should handle this and the tunnel *should* stay up
I've discovered that the IKE lifetime should be higher and phase2 is lower. these values work for me and were validated to the Cisco ASA/5000 VPN we connected to .
###############################
# Settings
###############################
ike=3des-md5
phase2alg=3des-md5
phase2=esp
###############################
ikelifetime=86400s
# keyexchange=ike
keylife=28800s
Hope that helps
dan
On Apr 26, 2016, at 06:24 AM, Amos Shapira <amos.shapira at gmail.com> wrote:
I have to condifer openswan 2.6.38 with Juniper SRX 1500 with the following connection parameters (dictated by the other party):
Phase 1 Properties
IKE Version v2
Authentication Method Pre-Shared Secret
Encryption Scheme IKE
Perfect Fwd Secrecy – IKE DH Group 14
Encryption Algorithm – IKE AES256
Hashing Algorithm – IKE SHA256
Renegotiate IKE SA time 28800 seconds
Phase 2 Properties CK Parameters covata Parameters
Transform (IPSEC Protocol) ESP
Perfect Fwd Secrecy - IPSEC DH Group 14
Encryption Algorithm - IPSEC AES256
Hashing Algorithm - IPSEC SHA1
Renegotiate IPSEC SA time 28800 seconds
I'm trying to translate this to "openswan configuration speak" but hit a problem with the Phase 1 settings.
I tried to set it with:
ike=aes256-sha256;modp2048
ikelifetime=8h
salifetime=8h
type=tunnel
authby=secret
forceencaps=yes
auto=start
left=%defaultroute
leftid=xx
leftnexthop=%defaultroute
leftsubnet=yy
right=zz
rightid=zz
rightsubnets={aaaaa}
pfs=yes
phase2=esp
phase2alg=aes256-sha1;modp2048
mtu=1360
But the tunnel doesn't come up and the system log has the line:
esp string error: hash_alg not found, enc_alg="aes", auth_alg="sha256", modp="modp2048"
I suppose I'm not specifying the sha256 correctly but I didn't find the right way. What is it?
Thanks,
--Amos
_______________________________________________
Users at lists.openswan.org
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20160426/1e009bdb/attachment-0001.html>
More information about the Users
mailing list