Skip to main content
IPMAN
IPMAN
New Member
September 22, 2008
Question

Using SHA for authentication instead of SHA-1

  • September 22, 2008
  • 4 replies
  • 4912 views
We' ve been trying to setup a site to site VPN tunnel to one of our vendors using a preshared key. The encryption is AES256 and the Authentication is supposed to be SHA (not SHA-1). SHA is not an Authentication option within the Fortigate units but SHA-1 is. From what we can tell, SHA and SHA-1 differ from one another. This makes sense as the log entry we are receiving when we try to bring up the tunnel states " NO_PROPOSAL_CHOSEN" . My question for everyone/anyone is, " Is there a way to use SHA as an authentication option within the Fortigate 200 instead of SHA-1?" We cannot use MD5 or SHA-1 as our vendor does not support that. Maybe a manual override? Any help would be appreciated. Thanks...

    4 replies

    FortiRack_Eric
    FortiRack_Eric
    New Member
    September 23, 2008
    SHA-1 is perfect within the standards. The other versions of sha are SHA-0 which is obsolete due to the fact that it is too vulnerable. SHA-1 is also not perfect (predictability of collisions) so that is why SHA-256 is developed but that is rarely implemented in security devices yet. You may also chose MD5. Cheers, Eric
    laf
    laf
    New Member
    September 23, 2008
    You could try on console to see all the available options. Unfortunately no mention of the SHA, only SHA-1 and MD5 (the classic ones) so you will have to go for another solution of connecting to that site.
    abelio
    SuperUser
    abelio
    SuperUser
    September 23, 2008
    Agree with Eric, SHA (or SHA-0) is deprecated several years ago, SHA-1/MD5 are the only available options by now in FTG units Ipman, try to force the other peer to some more standard. good luck
    IPMAN
    IPMANAuthor
    New Member
    September 23, 2008
    Thank you all for the feedback. We are trying to force the peer to allow SHA-1, but they are a multi-billion dollar company that has adopted ISO standards and for them to make a change for a single client would require quite a bit of work on their end. Nonetheless, we' ll see how it goes.
    FortiRack_Eric
    FortiRack_Eric
    New Member
    September 24, 2008
    SHA-0 isn' t in the IPsec standard anymore. You' ll have to look up the according standard. Good luck
    Terms & ConditionsAccessibility statement