Hope you are doing well.
I just want an advise from you. Indeed, I am using ScreenOS :
I am configuring a VPN and my partener is requiring HMAC-SHA256 to be set at 128 bit for IKEv1 phase 2 negociation.
As of ScreenOS version 6.3r5, the truncation lengths of HMAC-SHA-256 in IPsec have been changed to 128 bits to comply with RFC4868. To allow interoperability with earlier ScreenOS versions, "set envar hmac-sha256-96=yes" is introduced.
For IKE Phase 2 negotiations, the early ScreenOS implemented authentication algorithm HMAC-SHA2-256 with the truncation lengths of 96 bits. This truncation length does not comply with RFC4868. To comply with RFC4868, the truncation lengths have been changed to 128 bits after ScreenOS version 6.3r5. The change in truncation lengths after ScreenOS version 6.3r5 causes it not to interoperate with earlier ScreenOS versions which use HMAC-SHA-256 with 96-bit truncation lengths. The change affects both IKEv1 and IKEv2.
This will allow Phase 2 negotiation to complete between an HMAC-SHA-256-128 negotiator and non-standard HMAC-SHA-256-96 negotiator, but receiving ESP packets will be dropped due to invalid ESP payload lengths.
---------------------
----------------------
Based on this, I understood that since ScreenOS version 6.3r5, the truncation lengths of HMAC-SHA-256 in IPsec have been changed to 128 bits. Is that default value ?
1. Do we have any way for checking the current configured bits ?
2. Is there a possibiltiy to change this value in case 96 bits is configured at this moment ?
3. I was looking the command to change this value and I found "set envar hmac-sha256-96=yes". Should I change 96 to 128. If so, shall I need to restart the box after ?
Any other advises is welcome,
Thanks