Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
IPMAN
New Contributor

Using SHA for authentication instead of SHA-1

We' ve been trying to setup a site to site VPN tunnel to one of our vendors using a preshared key. The encryption is AES256 and the Authentication is supposed to be SHA (not SHA-1). SHA is not an Authentication option within the Fortigate units but SHA-1 is. From what we can tell, SHA and SHA-1 differ from one another. This makes sense as the log entry we are receiving when we try to bring up the tunnel states " NO_PROPOSAL_CHOSEN" . My question for everyone/anyone is, " Is there a way to use SHA as an authentication option within the Fortigate 200 instead of SHA-1?" We cannot use MD5 or SHA-1 as our vendor does not support that. Maybe a manual override? Any help would be appreciated. Thanks...
Dustin Niglio Payment Logistics Limited pcidss@paymentlogistics.com www.pcilogistics.com
Dustin Niglio Payment Logistics Limited pcidss@paymentlogistics.com www.pcilogistics.com
5 REPLIES 5
FortiRack_Eric
New Contributor III

SHA-1 is perfect within the standards. The other versions of sha are SHA-0 which is obsolete due to the fact that it is too vulnerable. SHA-1 is also not perfect (predictability of collisions) so that is why SHA-256 is developed but that is rarely implemented in security devices yet. You may also chose MD5. Cheers, Eric

Rackmount your Fortinet --> http://www.rackmount.it/fortirack

 

Rackmount your Fortinet --> http://www.rackmount.it/fortirack
laf
New Contributor II

You could try on console to see all the available options. Unfortunately no mention of the SHA, only SHA-1 and MD5 (the classic ones) so you will have to go for another solution of connecting to that site.

The most expensive and scarce resource for man is time, paradoxically, it' s infinite.

The most expensive and scarce resource for man is time, paradoxically, it' s infinite.
abelio

Agree with Eric, SHA (or SHA-0) is deprecated several years ago, SHA-1/MD5 are the only available options by now in FTG units Ipman, try to force the other peer to some more standard. good luck

regards




/ Abel

regards / Abel
IPMAN
New Contributor

Thank you all for the feedback. We are trying to force the peer to allow SHA-1, but they are a multi-billion dollar company that has adopted ISO standards and for them to make a change for a single client would require quite a bit of work on their end. Nonetheless, we' ll see how it goes.
Dustin Niglio Payment Logistics Limited pcidss@paymentlogistics.com www.pcilogistics.com
Dustin Niglio Payment Logistics Limited pcidss@paymentlogistics.com www.pcilogistics.com
FortiRack_Eric
New Contributor III

SHA-0 isn' t in the IPsec standard anymore. You' ll have to look up the according standard. Good luck

Rackmount your Fortinet --> http://www.rackmount.it/fortirack

 

Rackmount your Fortinet --> http://www.rackmount.it/fortirack
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors