[Swan] Changing IPSec Tunnel
Paul Wouters
paul at nohats.ca
Sun Feb 24 01:25:25 UTC 2019
On Sat, 23 Feb 2019, Paul Connolly wrote:
> I have an IPSec tunnel configured with a third party that has informed me they require a config change this week and it's been nearly a year since I last touched this so I'm knocking the
> rust off my Libreswan-Fu. Below are the original specs from the third party and the current tunnel config that is working as well as the new specs. Can someone give some guidance what
> changes I need to make on the new config? PFS=yes seems obvious and I assume ike and phase2alg values need to change some guidance would be super helpful.
I'm glad to see people migrating to more secure parameters. I wish more
people did that!
> Orig IPsec.conf
> ikelifetime=1440m
> salifetime=60m
> ike=aes256-sha1;dh2
> phase2alg=aes256-sha1;modp1024
> New Specs:
> IKE Version:IKEv2
ikev2=insist
> Phase - 1 Parameters
> Encryption Algorithm: AES-GCM-256
> Integrity algorithm: Null
> Diffie-Hellman group: Group 24
Now this is tricky. They want DH24? There are issues with DH 22-24, see:
https://tools.ietf.org/html/rfc8247#section-2.4
Groups 22, 23, and 24 are MODP groups with Prime Order Subgroups that
are not safe primes. The seeds for these groups have not been
publicly released, resulting in reduced trust in these groups. These
groups were proposed as alternatives for groups 2 and 14 but never
saw wide deployment. It has been shown that group 22 with 1024-bit
MODP is too weak and academia have the resources to generate
malicious values at this size. This has resulted in group 22 to be
demoted to MUST NOT. Groups 23 and 24 have been demoted to SHOULD
NOT and are expected to be further downgraded in the near future to
MUST NOT. Since groups 23 and 24 have small subgroups, the checks
specified in the first bullet point of Section 2.2 of "Additional
Diffie-Hellman Tests for the Internet Key Exchange Protocol Version 2
(IKEv2)" [RFC6989] MUST be done when these groups are used.
libreswan supports DH 22-24 but no longer compiles support in per
default, and depending on your compile/distro, you might have to
recompile with USE_DH24=true set in Makefile.inc (or Makefile.inc.local)
If you do, then the ike= line becomes:
ike=aes_gcm256-sha2_256;dh24
But I recommend:
ike=aes_gcm256-sha2_256;dh19
Note the sha2_256 here stands for the PRF, not the INTEG (GCM is an AEAD
algorithm with builtin integrity with encryption)
> Phase-1 lifetime (Secs/KB): 86400 sec
ikelifetime-86400
> Phase - 2 Parameters
> Encryption & Integrity algorithm: ESP-GCM-256
> Integrity algorithm: Null
> PFS: Yes
esp=aes_gcm256;dh19
(or dh24 see above)
The DH on the esp= line is for pfs=yes
> Diffie-Hellman group (IF PFS = Yes):Group 24
> Phase-2 Lifetime (Secs/KB): 3600 sec
salifetime=3600
If you upgrade these, since you are using a PSK which is vulnerable to
disctionary attacks, please use a minimal of 32 random character PSK.
Paul
More information about the Swan
mailing list