On Mon, 20 Jun 2016, Frank wrote:
Can the auth keysize minima be lowered?
the rightside ( Juniper SRX) only supports these:
hmac-md5-96 HMAC-MD5-96 authentication algorithm
hmac-sha-256-128 HMAC-SHA-256-128 authentication algorithm
hmac-sha-256-96 HMAC-SHA-256-96 authentication algorithm (non-RFC
compliant)
hmac-sha1-96 HMAC-SHA1-96 authentication algorithm
libreswan:
000 algorithm AH/ESP auth: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128,
keysizemax=128
000 algorithm AH/ESP auth: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160,
keysizemax=160
000 algorithm AH/ESP auth: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
keysizemin=256, keysizemax=256
which are all higher than the keysizemin of the juniper.
Those are not really keysizes but the standard hash size and truncation
values. So there are not different truncation sizes for ant of the hash
algorithms with the exception of the support of the bogus linux 96 bit
truncation size for sha2_256 which is enabled using sha2-truncbug=yes
The above quites ESP algorithms are just described using "md5", "sha2"
(which is the same as "sha2_256" and with/without sha2-truncbug=yes.
I’m on centos7 with libreswan.x86_64 3.12-10.1.el7_1 , with backports by
redhat.
How to make this work?
It should just work for you.
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
