[Swan] weakdh.org and logjam DiffieHellman attack impact on IKE/IPsec

Paul Wouters paul at nohats.ca
Wed May 20 19:04:35 EEST 2015

I did a write up in response to the paper published at:


You can find it at:


Exec Summary below, you can find more details in my blog post.


TL;DR The LogJam downgrade attack does not apply to MODP groups in the
IKE protocol, only to TLS, so IKE or IPsec is not impacted.

If you are using libreswan you are not vulnerable to weak MODP groups
and using MODP2048 per default unless specifically configured for a
lower MODP group.

If you are using openswan with IKEv2 you are using MODP2048, but if you
are using IKEv1 you are using MODP1536 which is still much stronger than
MODP768 or MODP1024.

Libreswan as a client to a weak server will allow MODP1024 in IKEv1 as
the least secure option, and MODP1536 in IKEv2 as the least secure

Openswan does not properly implement INVALID_KE, so it cannot connect to
another DH group than the one it started out as, so it runs the risk of
getting locked out if the server side bumps their minimum MODP group to
2048. openswan defaults to MODP1536 in IKEv1 and MODP2048 in IKEv2


More information about the Swan mailing list