[Swan] Suggested cipher suites in Libreswan 3.29
kaushalshriyan at gmail.com
Tue Jul 9 05:06:47 UTC 2019
Thanks Paul for the help and much appreciated.
On Tue, Jul 9, 2019 at 9:12 AM Paul Wouters <paul at nohats.ca> wrote:
> On Tue, 9 Jul 2019, Kaushal Shriyan wrote:
> > I am running libreswan version 3.29 on CentOS 7.6 and the details are as
> > I have the below config.
> > conn apps-tomcat-primary
> > type=tunnel
> > authby=secret
> > left=%defaultroute
> > leftid=184.108.40.206
> > leftnexthop=%defaultroute
> > leftsubnet=220.127.116.11/32
> > right=18.104.22.168
> > rightsubnet=22.214.171.124/32
> > ike=aes128-sha1;modp1024
> Note using DH2 makes no sense. It's too weak. libreswan-3.30 has it
> compile time disabled by default.
> > phase2alg=aes128-sha1;modp1536
> It also makes little sense to have a larger phase2 DH group.
> > pfs=yes
> > auto=start
> > ikev2=no
> > I will appreciate if you can let me know the suggested cipher suites
> (encryption and authentication) to be implemented as per the above
> Libreswan IPsec configuration.
> It will only allow what you specified on the ike= and esp= lines. Only
> if you specify nothing in the conn, do you get default ciphers eiter
> from conn %default or via the system-wide crypto policies (via conn
> So your ike= line will only allow AES 128 bit key, SHA1 for PRF and
> INTEG, using DH2. Your esp=/phase2alg- line only allows AES 128 bit key,
> SHA1 for INTEG and DH5 Quickmode/PFS.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Swan