[Openswan Users] Specifying SHA256?

Amos Shapira amos.shapira at gmail.com
Thu Apr 28 21:39:09 EDT 2016 

Thanks everyone.

While I was away my colleague got the other side to just switch to sha1 and
the tunnel came up.

Cheers,

--Amos

On 27 April 2016 at 21:15, Amos Shapira <amos.shapira at gmail.com> wrote:

> Thanks. I'll try that when I get back to the office.
>
> On 26 April 2016 at 21:55, Daniel Cave <dan.cave at me.com> wrote:
>
>> Hi Amos.
>>
>> I found this document -which should help give you some clues what the
>> Juniper side is expecting.
>> http://kb.juniper.net/InfoCenter/index?page=content&id=KB10100&actp=search
>>
>> In an attempt to be helpful,  I would also look for examples - if you run
>> ipsec auto status, the first head of messages give you the phase 1/2
>> cyphers/algo's it supports, if your config has the correct settings, then
>> my guess of why it isn't connecting is that the remote peer doesn't
>> correctly support it.
>>
>> When this has happened to me before I've suggested the remote end use
>> 3des-sha1 but don't specify the phase 1 & 2 algo's in your config file, let
>> the OpenSwan daemon try and work out the connection itself, as it will try
>> the highest and drop down until it's successfully negotiated
>>
>> Failing that  -I would suggest that you look to the support people at
>> your remote peer side using the Juniper and ask them what they are seeing
>> and how they've got their end configured. ( if you haven't already ) -
>>  Also you have no idea of what version of firmware they are using on the
>> SRX device, most third parties i've dealt with won't tell you at all
>> because they're aware of pending security vulnerabilities, so just tell you
>> 'its a cisco/juniper/OEM/other device'
>>
>> The fact you've got the phase 1 & phase 2 lifetimes set to be the same,
>> doesn't seem correct to me, usually the phase 1 - what normally happens is
>> if you have both of them set at the same expiry, the tunnel appears to flap
>> when they're due to be renewed and the tunnel drops out temporarily (from
>> what i've seen - however you might want to bear this in mind as technically
>> the pending expiry should handle this and the tunnel *should* stay up
>>
>> I've discovered that the IKE lifetime should be higher and phase2 is
>> lower. these values work for me and were validated to the Cisco
>> ASA/5000 VPN we connected  to .
>> ###############################
>> # Settings
>> ###############################
>>    ike=3des-md5
>>    phase2alg=3des-md5
>>    phase2=esp
>> ###############################
>>    ikelifetime=86400s
>> #    keyexchange=ike
>>    keylife=28800s
>>
>> Hope that helps
>>
>> dan
>>
>> On Apr 26, 2016, at 06:24 AM, Amos Shapira <amos.shapira at gmail.com>
>> wrote:
>>
>> I have to condifer openswan 2.6.38 with Juniper SRX 1500 with the
>> following connection parameters (dictated by the other party):
>>
>> Phase 1 Properties
>> IKE Version v2
>> Authentication Method Pre-Shared Secret
>> Encryption Scheme IKE
>> Perfect Fwd Secrecy – IKE DH Group 14
>> Encryption Algorithm – IKE AES256
>> Hashing Algorithm – IKE SHA256
>> Renegotiate IKE SA time 28800 seconds
>>
>>
>> Phase 2 Properties CK Parameters covata Parameters
>> Transform (IPSEC Protocol) ESP
>> Perfect Fwd Secrecy - IPSEC DH Group 14
>> Encryption Algorithm - IPSEC AES256
>> Hashing Algorithm - IPSEC SHA1
>> Renegotiate IPSEC SA time 28800 seconds
>>
>> I'm trying to translate this to "openswan configuration speak" but hit a
>> problem with the Phase 1 settings.
>>
>> I tried to set it with:
>>
>>     ike=aes256-sha256;modp2048
>>     ikelifetime=8h
>>     salifetime=8h
>>     type=tunnel
>>     authby=secret
>>     forceencaps=yes
>>     auto=start
>>     left=%defaultroute
>>     leftid=xx
>>     leftnexthop=%defaultroute
>>     leftsubnet=yy
>>     right=zz
>>     rightid=zz
>>     rightsubnets={aaaaa}
>>     pfs=yes
>>     phase2=esp
>>     phase2alg=aes256-sha1;modp2048
>>     mtu=1360
>>
>> But the tunnel doesn't come up and the system log has the line:
>>
>> esp string error: hash_alg not found, enc_alg="aes", auth_alg="sha256",
>> modp="modp2048"
>>
>> I suppose I'm not specifying the sha256 correctly but I didn't find the
>> right way. What is it?
>>
>> Thanks,
>>
>> --Amos
>>
>> _______________________________________________
>> Users at lists.openswan.org
>> https://lists.openswan.org/mailman/listinfo/users
>> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>> Building and Integrating Virtual Private Networks with Openswan:
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>
>>
>
>
> --
> <http://au.linkedin.com/in/gliderflyer>
>



-- 
<http://au.linkedin.com/in/gliderflyer>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20160429/db300809/attachment.html>

More information about the Users mailing list