PDA

View Full Version : different hash method



laf_c
2015-02-20, 11:07
Hi guys,

I have two centrally managed appliances running R76 and an IPSEC tunnel configured the traditional way.
I had a look today on the Encrypt rule on each location and noticed different Phase 2 settings:

FW1 to FW2 Encrypt

907

while FW2 to FW1 Encrypt

908

Most of the traffic is working between the two locations and I couldn't notice this unless someone asked me to troubleshoot some servers clustering protocol I can see in Tracker

Number: 145465
Date: 20Feb2015
Time: 0:30:49
Interface: eth1c0
Origin: FW1
Type: Log
Action: Drop
Service: Clustering_UDP (24)
Source Port: Clustering_UDP (24)
Source: Puremessage1(172.16.210.110)
Destination: Puremessage2(172.16.114.188)
Protocol: udp
Information: encryption fail reason: different hash methods
Product: Security Gateway/Management
Product Family: Network
Policy Info: Policy Name: FW1Policy
Created at: Mon Feb 16 23:23:03 2015
Installed from: managementServer

Why is that some traffic works while some does NOT?

Thanks in advance!

mabu09
2015-02-20, 12:30
Hey laf_c,

i am thinking that your IPSec VPN should not work. With MD5 u have a 128Bit HMAC and with SHA a 160Bit HMAC. MD5 and SHA are two autonomous hash-functions. Maybe you are having a rule in your Policy which will not encrypt your traffic.

King regards
mabu09

laf_c
2015-02-23, 05:28
Hey laf_c,

i am thinking that your IPSec VPN should not work. With MD5 u have a 128Bit HMAC and with SHA a 160Bit HMAC. MD5 and SHA are two autonomous hash-functions. Maybe you are having a rule in your Policy which will not encrypt your traffic.

King regards
mabu09

Still this works and believe it or not it carries an average of 30Mbps of traffic daily. Any insights, guys?