SHA2-256 compatibility on SRX branch series and other platforms

This article describes the issue of the SRX device, which has configured VPN with SHA2 in the IPsec proposal, being unable to decrypt the encrypted traffic; even though it has established the VPN tunnel.

Junos and SSG have two generations of SHA2-256 algorithms; the first one uses the 96 bit-length data field and the second one uses the 128 bit-length data field.

Due to this gap, there is an issue with encrypting or decrypting traffic between generations. For example, configure a SSG device and a SRX device as the VPN gateway and use SHA2 in the IPsec proposal:

SSG and SRX will match the proposals that are sent from each other. Both of the nodes negotiate to use SHA2 as authentication algorithm. The negotiation will be completed without any error and then the tunnel will come up:

However, SRX does not encrypt with the proper message digest length. So, SSG fails to decrypt the traffic. You will notice the Drop log in the debug flow basic log on the SSG side, when pinging from behind SRX to the SSG side:

In case of pinging from any source behind SSG to the SRX side, no such logs are found; but only the drop log can be found in flow traceoption:

The HMAC calculation on the 2nd generation uses 96 bit length truncation. it was introduced and supported, as mentioned in the following table:

SHA2-256 compatibility on SRX branch series and other platforms-1

The following combinations experience this compatibility issue:

SHA2-256 compatibility on SRX branch series and other platforms-2

For example, if a SRX device that uses 11.2R4 connects the VPN tunnel with SSG, which uses 6.3r4 or earlier, It works normally; but if Junos is upgraded to 11.2R6 or ScreenOS is upgraded to 6.3r5, the gateways fail to decrypt the traffic from others. Subsequently, traffic over the VPN tunnel will be dropped.

With the SRX family, this issue is noticed only with SRX branch devices.

If the remote gateway uses 128 bit and the platform is NS/SSG, use set envar hmac-sha256-96=yes on the SSG side to allow 96 bit truncated message digest. In case of SRX/SRX VPN, use the same release on both of the gateways.

About the author


Leave a Comment