[Swan] Changing IPSec Tunnel

Paul Wouters paul at nohats.ca
Sun Feb 24 01:25:25 UTC 2019 

On Sat, 23 Feb 2019, Paul Connolly wrote:

> I have an IPSec tunnel configured with a third party that has informed me they require a config change this week and it's been nearly a year since I last touched this so I'm knocking the
> rust off my Libreswan-Fu.  Below are the original specs from the third party and the current tunnel config that is working as well as the new specs.  Can someone give some guidance what
> changes I need to make on the new config?  PFS=yes seems obvious and I assume ike and phase2alg values need to change some guidance would be super helpful.

I'm glad to see people migrating to more secure parameters. I wish more
people did that!

> Orig IPsec.conf

>   ikelifetime=1440m
>   salifetime=60m
>   ike=aes256-sha1;dh2
>   phase2alg=aes256-sha1;modp1024

> New Specs:
> IKE Version:IKEv2

 	ikev2=insist

> Phase - 1 Parameters
> Encryption Algorithm: AES-GCM-256
> Integrity algorithm: Null
> Diffie-Hellman group: Group 24

Now this is tricky. They want DH24? There are issues with DH 22-24, see:

https://tools.ietf.org/html/rfc8247#section-2.4

    Groups 22, 23, and 24 are MODP groups with Prime Order Subgroups that
    are not safe primes.  The seeds for these groups have not been
    publicly released, resulting in reduced trust in these groups.  These
    groups were proposed as alternatives for groups 2 and 14 but never
    saw wide deployment.  It has been shown that group 22 with 1024-bit
    MODP is too weak and academia have the resources to generate
    malicious values at this size.  This has resulted in group 22 to be
    demoted to MUST NOT.  Groups 23 and 24 have been demoted to SHOULD
    NOT and are expected to be further downgraded in the near future to
    MUST NOT.  Since groups 23 and 24 have small subgroups, the checks
    specified in the first bullet point of Section 2.2 of "Additional
    Diffie-Hellman Tests for the Internet Key Exchange Protocol Version 2
    (IKEv2)" [RFC6989] MUST be done when these groups are used.


libreswan supports DH 22-24 but no longer compiles support in per
default, and depending on your compile/distro, you might have to
recompile with USE_DH24=true set in Makefile.inc (or Makefile.inc.local)

If you do, then the ike= line becomes:

 	ike=aes_gcm256-sha2_256;dh24

But I recommend:

 	ike=aes_gcm256-sha2_256;dh19

Note the sha2_256 here stands for the PRF, not the INTEG (GCM is an AEAD
algorithm with builtin integrity with encryption)

> Phase-1 lifetime (Secs/KB): 86400 sec

 	ikelifetime-86400

> Phase - 2 Parameters
> Encryption & Integrity algorithm: ESP-GCM-256
> Integrity algorithm: Null
> PFS: Yes

 	esp=aes_gcm256;dh19

(or dh24 see above)

The DH on the esp= line is for pfs=yes

> Diffie-Hellman group (IF PFS = Yes):Group 24
> Phase-2 Lifetime (Secs/KB): 3600 sec

 	salifetime=3600

If you upgrade these, since you are using a PSK which is vulnerable to
disctionary attacks, please use a minimal of 32 random character PSK.

Paul

More information about the Swan mailing list