[Swan] Changing IPSec Tunnel

[Paul Connolly]

I have an IPSec tunnel configured with a third party that has informed me
they require a config change this week and it's been nearly a year since I
last touched this so I'm knocking the rust off my Libreswan-Fu.  Below are
the original specs from the third party and the current tunnel config that
is working as well as the new specs.  Can someone give some guidance what
changes I need to make on the new config?  PFS=yes seems obvious and I
assume ike and phase2alg values need to change some guidance would be super
helpful.

Orig Specs
Support Key Exchanged for Subnets: ON
IKE Encryption MethoId: AES256 SHA
IKE Diffie-Hellman Groups for Phase 1: Group 2 (1024 bit)
IKE (Phase-1) Timeout: 1440 Min

IPSEC Encryption Method: AES256 SHA
IPSEC (Phase-2) Timeout: 3600 Sec
PFS (Perfect Forward Secrecy): Disabled
Keepalive: Disabled

Orig IPsec.conf
conn 1
  type=tunnel
  authby=secret
  initial-contact=yes
  encapsulation=yes
  rekey=yes
  auto=start
  pfs=no
  ikelifetime=1440m
  salifetime=60m
  ike=aes256-sha1;dh2
  phase2alg=aes256-sha1;modp1024
  aggrmode=no
  left=%defaultroute

New Specs:
IKE Version:IKEv2
Phase - 1 Parameters
Encryption Algorithm: AES-GCM-256
Integrity algorithm: Null
Diffie-Hellman group: Group 24
Phase-1 lifetime (Secs/KB): 86400 sec

Phase - 2 Parameters
Encryption & Integrity algorithm: ESP-GCM-256
Integrity algorithm: Null
PFS: Yes
Diffie-Hellman group (IF PFS = Yes):Group 24
Phase-2 Lifetime (Secs/KB): 3600 sec

New IPsec.conf
conn 1
  type=tunnel
  authby=secret
  initial-contact=yes
  encapsulation=yes
  rekey=yes
  auto=start
  pfs=yes
  ikelifetime=1440m
  salifetime=60m
  ike=??
  phase2alg=??
  aggrmode=no
  left=%defaultroute
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20190223/e595c855/attachment.html>