[Swan] Phase 1 and Phase 2 Paramers ?

Paul Wouters paul at nohats.ca
Sun Apr 29 16:15:45 UTC 2018 

On Sun, 29 Apr 2018, Sceekar O. wrote:

> However, I received a Form from a site I want to connect to, to provide Phase 1 and Phase 2 parameters for my VPN
> setup; and I'm not sure what the right values are.
> 
> If you can help me fill in the right parameters for each  " ? " in the form below, I would be most grateful.

>    ISAKMP SA Authentication Method
> pre-shared

authby=secret

>  ?
> Phase 1  IPSEC Tunnel
>    ISAKMP SA Key
> To be shared
>  ?
> Phase 1  IPSEC Tunnel
>    ISAKMP SA Hash Algorithm
> SHA
>  ?
> Phase 1  IPSEC Tunnel
>    ISAKMP SA Encryption Algorithm
> 3DES
>  ?
> Phase 1  IPSEC Tunnel
>    ISAKMP SA Diffie-Hellman Group
> 2
>  ?

based on these obsoleted ancient unwise parameters, I assume this is
ikev2=never

ike=3des-sha1;modp1024

However, note that Diffie-Hellman Group 2 is OBSOLETE and has been
changed to MUST NOT be implemented in RFC-8247. At the moment, this
DH group is removed from the default but still allowed to be configured.
But very soon this will be removed as it is simply too weak, and your
VPN might break on a libreswan update next year.

version of libreswan it might no longer be possible to

> Phase 1  IPSEC Tunnel
>    ISAKMP SA Life Duration
> 28800
>  ?

not negotiated, no option needed.

> Phase 1  IPSEC Tunnel
>    ISAKMP SA Vendor-ID
> disable
>  ?
> Phase 1  IPSEC Tunnel
>    ISAKMP SA IKE KeepAlive
> disable
>  ?

same

> Phase 1  IPSEC Tunnel
>    ISAKMP SA IKE DPD KeepAlive
> disable
>  ?
> Phase 1  IPSEC Tunnel

unwise but means no config option needed.

>    IPSec SA
> 
>    IPSec SA – IPSEC Protocol
> ESP
>  ?
> Phase 2  IPSEC Tunnel
>    IPSec SA – Mode
> tunnel
>  ?
> Phase 2  IPSEC Tunnel
>    IPSec SA – Hash Algorithm
> SHA
>  ?
> Phase 2  IPSEC Tunnel
>    IPSec SA – Encryption Algorithm
> 3DES
>  ?

esp=3des-sha1

> Phase 2  IPSEC Tunnel
>    IPSec SA – Life Type
> 3600
>  ?
> Phase 2  IPSEC Tunnel
>    IPSec SA – PFS
> enable

pfs=yes

>  ?
> Phase 2  IPSEC Tunnel
>    IPSec SA – PFS D-H Group
> group2
>  ?
> Phase 2  IPSEC Tunnel
>    IPSec SA – Compression LZS
> disable
>  ?

ipcomp=no (but that is the default already)


Your partner side needs to update their 90s crypto to the standards of
today.

Paul

More information about the Swan mailing list