[Swan] Suggested cipher suites in Libreswan 3.29
tod.larson at gmail.com
Wed Jul 10 02:05:29 UTC 2019
Building your config file to conform Suite B RFC 6379 is a good reference.
> On Jul 9, 2019, at 1:06 AM, Kaushal Shriyan <kaushalshriyan at gmail.com> wrote:
> Thanks Paul for the help and much appreciated.
>> On Tue, Jul 9, 2019 at 9:12 AM Paul Wouters <paul at nohats.ca> wrote:
>> On Tue, 9 Jul 2019, Kaushal Shriyan wrote:
>> > I am running libreswan version 3.29 on CentOS 7.6 and the details are as below:-
>> > I have the below config.
>> > conn apps-tomcat-primary
>> > type=tunnel
>> > authby=secret
>> > left=%defaultroute
>> > leftid=18.104.22.168
>> > leftnexthop=%defaultroute
>> > leftsubnet=22.214.171.124/32
>> > right=126.96.36.199
>> > rightsubnet=188.8.131.52/32
>> > ike=aes128-sha1;modp1024
>> Note using DH2 makes no sense. It's too weak. libreswan-3.30 has it
>> compile time disabled by default.
>> > phase2alg=aes128-sha1;modp1536
>> It also makes little sense to have a larger phase2 DH group.
>> > pfs=yes
>> > auto=start
>> > ikev2=no
>> > I will appreciate if you can let me know the suggested cipher suites (encryption and authentication) to be implemented as per the above Libreswan IPsec configuration.
>> It will only allow what you specified on the ike= and esp= lines. Only
>> if you specify nothing in the conn, do you get default ciphers eiter
>> from conn %default or via the system-wide crypto policies (via conn
>> So your ike= line will only allow AES 128 bit key, SHA1 for PRF and
>> INTEG, using DH2. Your esp=/phase2alg- line only allows AES 128 bit key,
>> SHA1 for INTEG and DH5 Quickmode/PFS.
> Swan mailing list
> Swan at lists.libreswan.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Swan