[Openswan Users] Specifying SHA256?
Amos Shapira
amos.shapira at gmail.com
Wed Apr 27 07:15:46 EDT 2016
Thanks. I'll try that when I get back to the office.
On 26 April 2016 at 21:55, Daniel Cave <dan.cave at me.com> wrote:
> Hi Amos.
>
> I found this document -which should help give you some clues what the
> Juniper side is expecting.
> http://kb.juniper.net/InfoCenter/index?page=content&id=KB10100&actp=search
>
> In an attempt to be helpful, I would also look for examples - if you run
> ipsec auto status, the first head of messages give you the phase 1/2
> cyphers/algo's it supports, if your config has the correct settings, then
> my guess of why it isn't connecting is that the remote peer doesn't
> correctly support it.
>
> When this has happened to me before I've suggested the remote end use
> 3des-sha1 but don't specify the phase 1 & 2 algo's in your config file, let
> the OpenSwan daemon try and work out the connection itself, as it will try
> the highest and drop down until it's successfully negotiated
>
> Failing that -I would suggest that you look to the support people at your
> remote peer side using the Juniper and ask them what they are seeing and
> how they've got their end configured. ( if you haven't already ) - Also
> you have no idea of what version of firmware they are using on the SRX
> device, most third parties i've dealt with won't tell you at all because
> they're aware of pending security vulnerabilities, so just tell you 'its a
> cisco/juniper/OEM/other device'
>
> The fact you've got the phase 1 & phase 2 lifetimes set to be the same,
> doesn't seem correct to me, usually the phase 1 - what normally happens is
> if you have both of them set at the same expiry, the tunnel appears to flap
> when they're due to be renewed and the tunnel drops out temporarily (from
> what i've seen - however you might want to bear this in mind as technically
> the pending expiry should handle this and the tunnel *should* stay up
>
> I've discovered that the IKE lifetime should be higher and phase2 is
> lower. these values work for me and were validated to the Cisco
> ASA/5000 VPN we connected to .
> ###############################
> # Settings
> ###############################
> ike=3des-md5
> phase2alg=3des-md5
> phase2=esp
> ###############################
> ikelifetime=86400s
> # keyexchange=ike
> keylife=28800s
>
> Hope that helps
>
> dan
>
> On Apr 26, 2016, at 06:24 AM, Amos Shapira <amos.shapira at gmail.com> wrote:
>
> I have to condifer openswan 2.6.38 with Juniper SRX 1500 with the
> following connection parameters (dictated by the other party):
>
> Phase 1 Properties
> IKE Version v2
> Authentication Method Pre-Shared Secret
> Encryption Scheme IKE
> Perfect Fwd Secrecy – IKE DH Group 14
> Encryption Algorithm – IKE AES256
> Hashing Algorithm – IKE SHA256
> Renegotiate IKE SA time 28800 seconds
>
>
> Phase 2 Properties CK Parameters covata Parameters
> Transform (IPSEC Protocol) ESP
> Perfect Fwd Secrecy - IPSEC DH Group 14
> Encryption Algorithm - IPSEC AES256
> Hashing Algorithm - IPSEC SHA1
> Renegotiate IPSEC SA time 28800 seconds
>
> I'm trying to translate this to "openswan configuration speak" but hit a
> problem with the Phase 1 settings.
>
> I tried to set it with:
>
> ike=aes256-sha256;modp2048
> ikelifetime=8h
> salifetime=8h
> type=tunnel
> authby=secret
> forceencaps=yes
> auto=start
> left=%defaultroute
> leftid=xx
> leftnexthop=%defaultroute
> leftsubnet=yy
> right=zz
> rightid=zz
> rightsubnets={aaaaa}
> pfs=yes
> phase2=esp
> phase2alg=aes256-sha1;modp2048
> mtu=1360
>
> But the tunnel doesn't come up and the system log has the line:
>
> esp string error: hash_alg not found, enc_alg="aes", auth_alg="sha256",
> modp="modp2048"
>
> I suppose I'm not specifying the sha256 correctly but I didn't find the
> right way. What is it?
>
> Thanks,
>
> --Amos
>
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
>
--
<http://au.linkedin.com/in/gliderflyer>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20160427/7486bd99/attachment.html>
More information about the Users
mailing list