[Swan] Changing IPSec Tunnel

Paul Connolly paulconnolly75 at gmail.com
Sun Feb 24 14:49:18 UTC 2019


Thank you so much for your thorough response!  That's unfortunate about
possibly having to manually compile support for dh24.  I doubt the third
party that we are working with will budge on the settings but I will ask.
I was looking through the docs to see if I could tell what versions removed
dh24 from compiling but had no luck.  I'm running 3.20 on CentOS 7.  Do you
know if dh24 support is compiled in this version or if there's a way for me
to check?

On Sat, Feb 23, 2019 at 7:25 PM Paul Wouters <paul at nohats.ca> wrote:

> On Sat, 23 Feb 2019, Paul Connolly wrote:
>
> > I have an IPSec tunnel configured with a third party that has informed
> me they require a config change this week and it's been nearly a year since
> I last touched this so I'm knocking the
> > rust off my Libreswan-Fu.  Below are the original specs from the third
> party and the current tunnel config that is working as well as the new
> specs.  Can someone give some guidance what
> > changes I need to make on the new config?  PFS=yes seems obvious and I
> assume ike and phase2alg values need to change some guidance would be super
> helpful.
>
> I'm glad to see people migrating to more secure parameters. I wish more
> people did that!
>
> > Orig IPsec.conf
>
> >   ikelifetime=1440m
> >   salifetime=60m
> >   ike=aes256-sha1;dh2
> >   phase2alg=aes256-sha1;modp1024
>
> > New Specs:
> > IKE Version:IKEv2
>
>         ikev2=insist
>
> > Phase - 1 Parameters
> > Encryption Algorithm: AES-GCM-256
> > Integrity algorithm: Null
> > Diffie-Hellman group: Group 24
>
> Now this is tricky. They want DH24? There are issues with DH 22-24, see:
>
> https://tools.ietf.org/html/rfc8247#section-2.4
>
>     Groups 22, 23, and 24 are MODP groups with Prime Order Subgroups that
>     are not safe primes.  The seeds for these groups have not been
>     publicly released, resulting in reduced trust in these groups.  These
>     groups were proposed as alternatives for groups 2 and 14 but never
>     saw wide deployment.  It has been shown that group 22 with 1024-bit
>     MODP is too weak and academia have the resources to generate
>     malicious values at this size.  This has resulted in group 22 to be
>     demoted to MUST NOT.  Groups 23 and 24 have been demoted to SHOULD
>     NOT and are expected to be further downgraded in the near future to
>     MUST NOT.  Since groups 23 and 24 have small subgroups, the checks
>     specified in the first bullet point of Section 2.2 of "Additional
>     Diffie-Hellman Tests for the Internet Key Exchange Protocol Version 2
>     (IKEv2)" [RFC6989] MUST be done when these groups are used.
>
>
> libreswan supports DH 22-24 but no longer compiles support in per
> default, and depending on your compile/distro, you might have to
> recompile with USE_DH24=true set in Makefile.inc (or Makefile.inc.local)
>
> If you do, then the ike= line becomes:
>
>         ike=aes_gcm256-sha2_256;dh24
>
> But I recommend:
>
>         ike=aes_gcm256-sha2_256;dh19
>
> Note the sha2_256 here stands for the PRF, not the INTEG (GCM is an AEAD
> algorithm with builtin integrity with encryption)
>
> > Phase-1 lifetime (Secs/KB): 86400 sec
>
>         ikelifetime-86400
>
> > Phase - 2 Parameters
> > Encryption & Integrity algorithm: ESP-GCM-256
> > Integrity algorithm: Null
> > PFS: Yes
>
>         esp=aes_gcm256;dh19
>
> (or dh24 see above)
>
> The DH on the esp= line is for pfs=yes
>
> > Diffie-Hellman group (IF PFS = Yes):Group 24
> > Phase-2 Lifetime (Secs/KB): 3600 sec
>
>         salifetime=3600
>
> If you upgrade these, since you are using a PSK which is vulnerable to
> disctionary attacks, please use a minimal of 32 random character PSK.
>
> Paul
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20190224/bf610247/attachment.html>


More information about the Swan mailing list