[Openswan Users] Specifying SHA256?
Simon Deziel
simon at xelerance.com
Wed Apr 27 09:03:32 EDT 2016
Hi Amos,
On 2016-04-26 01:22 AM, Amos Shapira wrote:
> I have to condifer openswan 2.6.38 with Juniper SRX 1500 with the
> following connection parameters (dictated by the other party):
>
> Phase 1 Properties
> IKE Versionv2
> Authentication MethodPre-Shared Secret
> Encryption SchemeIKE
> Perfect Fwd Secrecy – IKEDH Group 14
> Encryption Algorithm – IKE AES256
> Hashing Algorithm – IKESHA256
> Renegotiate IKE SA time28800 seconds
>
>
> Phase 2 PropertiesCK Parameterscovata Parameters
> Transform (IPSEC Protocol)ESP
> Perfect Fwd Secrecy - IPSECDH Group 14
> Encryption Algorithm - IPSECAES256
> Hashing Algorithm - IPSECSHA1
> Renegotiate IPSEC SA time28800 seconds
>
> I'm trying to translate this to "openswan configuration speak" but hit a
> problem with the Phase 1 settings.
>
> I tried to set it with:
>
> ike=aes256-sha256;modp2048
> ikelifetime=8h
> salifetime=8h
> type=tunnel
> authby=secret
> forceencaps=yes
> auto=start
> left=%defaultroute
> leftid=xx
> leftnexthop=%defaultroute
> leftsubnet=yy
> right=zz
> rightid=zz
> rightsubnets={aaaaa}
> pfs=yes
> phase2=esp
> phase2alg=aes256-sha1;modp2048
> mtu=1360
>
> But the tunnel doesn't come up and the system log has the line:
>
> esp string error: hash_alg not found, enc_alg="aes", auth_alg="sha256",
> modp="modp2048"
>
> I suppose I'm not specifying the sha256 correctly but I didn't find the
> right way. What is it?
Since SHA2 comes in various bit length, the syntax is like this:
ike=aes256-sha2_256;modp2048
Regards,
Simon
More information about the Users
mailing list