[Swan] Suggested cipher suites in Libreswan 3.29
Kaushal Shriyan
kaushalshriyan at gmail.com
Tue Jul 9 05:06:47 UTC 2019
Thanks Paul for the help and much appreciated.
On Tue, Jul 9, 2019 at 9:12 AM Paul Wouters <paul at nohats.ca> wrote:
> On Tue, 9 Jul 2019, Kaushal Shriyan wrote:
>
> > I am running libreswan version 3.29 on CentOS 7.6 and the details are as
> below:-
>
> > I have the below config.
> >
> > conn apps-tomcat-primary
> > type=tunnel
> > authby=secret
> > left=%defaultroute
> > leftid=128.117.167.12
> > leftnexthop=%defaultroute
> > leftsubnet=128.117.167.12/32
> > right=126.114.94.7
> > rightsubnet=126.114.90.7/32
> > ike=aes128-sha1;modp1024
>
> Note using DH2 makes no sense. It's too weak. libreswan-3.30 has it
> compile time disabled by default.
>
> > phase2alg=aes128-sha1;modp1536
>
> It also makes little sense to have a larger phase2 DH group.
>
> > pfs=yes
> > auto=start
> > ikev2=no
> >
> >
> > I will appreciate if you can let me know the suggested cipher suites
> (encryption and authentication) to be implemented as per the above
> Libreswan IPsec configuration.
>
> It will only allow what you specified on the ike= and esp= lines. Only
> if you specify nothing in the conn, do you get default ciphers eiter
> from conn %default or via the system-wide crypto policies (via conn
> %default).
>
> So your ike= line will only allow AES 128 bit key, SHA1 for PRF and
> INTEG, using DH2. Your esp=/phase2alg- line only allows AES 128 bit key,
> SHA1 for INTEG and DH5 Quickmode/PFS.
>
> Paul
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20190709/67e54428/attachment.html>
More information about the Swan
mailing list