[Swan] Suggested cipher suites in Libreswan 3.29
Tod Larson
tod.larson at gmail.com
Wed Jul 10 02:05:29 UTC 2019
Building your config file to conform Suite B RFC 6379 is a good reference.
https://datatracker.ietf.org/doc/rfc6379/?include_text=1
> On Jul 9, 2019, at 1:06 AM, Kaushal Shriyan <kaushalshriyan at gmail.com> wrote:
>
> Thanks Paul for the help and much appreciated.
>
>> On Tue, Jul 9, 2019 at 9:12 AM Paul Wouters <paul at nohats.ca> wrote:
>> On Tue, 9 Jul 2019, Kaushal Shriyan wrote:
>>
>> > I am running libreswan version 3.29 on CentOS 7.6 and the details are as below:-
>>
>> > I have the below config.
>> >
>> > conn apps-tomcat-primary
>> > type=tunnel
>> > authby=secret
>> > left=%defaultroute
>> > leftid=128.117.167.12
>> > leftnexthop=%defaultroute
>> > leftsubnet=128.117.167.12/32
>> > right=126.114.94.7
>> > rightsubnet=126.114.90.7/32
>> > ike=aes128-sha1;modp1024
>>
>> Note using DH2 makes no sense. It's too weak. libreswan-3.30 has it
>> compile time disabled by default.
>>
>> > phase2alg=aes128-sha1;modp1536
>>
>> It also makes little sense to have a larger phase2 DH group.
>>
>> > pfs=yes
>> > auto=start
>> > ikev2=no
>> >
>> >
>> > I will appreciate if you can let me know the suggested cipher suites (encryption and authentication) to be implemented as per the above Libreswan IPsec configuration.
>>
>> It will only allow what you specified on the ike= and esp= lines. Only
>> if you specify nothing in the conn, do you get default ciphers eiter
>> from conn %default or via the system-wide crypto policies (via conn
>> %default).
>>
>> So your ike= line will only allow AES 128 bit key, SHA1 for PRF and
>> INTEG, using DH2. Your esp=/phase2alg- line only allows AES 128 bit key,
>> SHA1 for INTEG and DH5 Quickmode/PFS.
>>
>> Paul
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20190709/c0daf6ac/attachment-0001.html>
More information about the Swan
mailing list