[Swan] Phase 1 and Phase 2 Paramers ?

Sceekar O. sceekar at gmail.com
Sun Apr 29 18:20:49 UTC 2018


Hello Paul,

Thanks a lot for your detailed response - well received.

Regards,

On Sun, Apr 29, 2018 at 5:15 PM, Paul Wouters <paul at nohats.ca> wrote:

> On Sun, 29 Apr 2018, Sceekar O. wrote:
>
> However, I received a Form from a site I want to connect to, to
>> provide Phase 1 and Phase 2 parameters for my VPN
>> setup; and I'm not sure what the right values are.
>>
>> If you can help me fill in the right parameters for each  " ? " in the
>> form below, I would be most grateful.
>>
>
>    ISAKMP SA Authentication Method
>> pre-shared
>>
>
> authby=secret
>
>  ?
>> Phase 1  IPSEC Tunnel
>>    ISAKMP SA Key
>> To be shared
>>  ?
>> Phase 1  IPSEC Tunnel
>>    ISAKMP SA Hash Algorithm
>> SHA
>>  ?
>> Phase 1  IPSEC Tunnel
>>    ISAKMP SA Encryption Algorithm
>> 3DES
>>  ?
>> Phase 1  IPSEC Tunnel
>>    ISAKMP SA Diffie-Hellman Group
>> 2
>>  ?
>>
>
> based on these obsoleted ancient unwise parameters, I assume this is
> ikev2=never
>
> ike=3des-sha1;modp1024
>
> However, note that Diffie-Hellman Group 2 is OBSOLETE and has been
> changed to MUST NOT be implemented in RFC-8247. At the moment, this
> DH group is removed from the default but still allowed to be configured.
> But very soon this will be removed as it is simply too weak, and your
> VPN might break on a libreswan update next year.
>
> version of libreswan it might no longer be possible to
>
> Phase 1  IPSEC Tunnel
>>    ISAKMP SA Life Duration
>> 28800
>>  ?
>>
>
> not negotiated, no option needed.
>
> Phase 1  IPSEC Tunnel
>>    ISAKMP SA Vendor-ID
>> disable
>>  ?
>> Phase 1  IPSEC Tunnel
>>    ISAKMP SA IKE KeepAlive
>> disable
>>  ?
>>
>
> same
>
> Phase 1  IPSEC Tunnel
>>    ISAKMP SA IKE DPD KeepAlive
>> disable
>>  ?
>> Phase 1  IPSEC Tunnel
>>
>
> unwise but means no config option needed.
>
>    IPSec SA
>>
>>    IPSec SA – IPSEC Protocol
>> ESP
>>  ?
>> Phase 2  IPSEC Tunnel
>>    IPSec SA – Mode
>> tunnel
>>  ?
>> Phase 2  IPSEC Tunnel
>>    IPSec SA – Hash Algorithm
>> SHA
>>  ?
>> Phase 2  IPSEC Tunnel
>>    IPSec SA – Encryption Algorithm
>> 3DES
>>  ?
>>
>
> esp=3des-sha1
>
> Phase 2  IPSEC Tunnel
>>    IPSec SA – Life Type
>> 3600
>>  ?
>> Phase 2  IPSEC Tunnel
>>    IPSec SA – PFS
>> enable
>>
>
> pfs=yes
>
>  ?
>> Phase 2  IPSEC Tunnel
>>    IPSec SA – PFS D-H Group
>> group2
>>  ?
>> Phase 2  IPSEC Tunnel
>>    IPSec SA – Compression LZS
>> disable
>>  ?
>>
>
> ipcomp=no (but that is the default already)
>
>
> Your partner side needs to update their 90s crypto to the standards of
> today.
>
> Paul
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20180429/dc367be4/attachment.html>


More information about the Swan mailing list