[Swan] Changing IPSec Tunnel
Paul Connolly
paulconnolly75 at gmail.com
Sat Feb 23 18:44:54 UTC 2019
I have an IPSec tunnel configured with a third party that has informed me
they require a config change this week and it's been nearly a year since I
last touched this so I'm knocking the rust off my Libreswan-Fu. Below are
the original specs from the third party and the current tunnel config that
is working as well as the new specs. Can someone give some guidance what
changes I need to make on the new config? PFS=yes seems obvious and I
assume ike and phase2alg values need to change some guidance would be super
helpful.
Orig Specs
Support Key Exchanged for Subnets: ON
IKE Encryption MethoId: AES256 SHA
IKE Diffie-Hellman Groups for Phase 1: Group 2 (1024 bit)
IKE (Phase-1) Timeout: 1440 Min
IPSEC Encryption Method: AES256 SHA
IPSEC (Phase-2) Timeout: 3600 Sec
PFS (Perfect Forward Secrecy): Disabled
Keepalive: Disabled
Orig IPsec.conf
conn 1
type=tunnel
authby=secret
initial-contact=yes
encapsulation=yes
rekey=yes
auto=start
pfs=no
ikelifetime=1440m
salifetime=60m
ike=aes256-sha1;dh2
phase2alg=aes256-sha1;modp1024
aggrmode=no
left=%defaultroute
New Specs:
IKE Version:IKEv2
Phase - 1 Parameters
Encryption Algorithm: AES-GCM-256
Integrity algorithm: Null
Diffie-Hellman group: Group 24
Phase-1 lifetime (Secs/KB): 86400 sec
Phase - 2 Parameters
Encryption & Integrity algorithm: ESP-GCM-256
Integrity algorithm: Null
PFS: Yes
Diffie-Hellman group (IF PFS = Yes):Group 24
Phase-2 Lifetime (Secs/KB): 3600 sec
New IPsec.conf
conn 1
type=tunnel
authby=secret
initial-contact=yes
encapsulation=yes
rekey=yes
auto=start
pfs=yes
ikelifetime=1440m
salifetime=60m
ike=??
phase2alg=??
aggrmode=no
left=%defaultroute
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20190223/e0645f88/attachment.html>
More information about the Swan
mailing list