[Swan] Libreswan 3.3.0 breakage

Paul Wouters paul at nohats.ca
Mon Feb 17 17:25:17 UTC 2020

On Mon, 17 Feb 2020, John Crisp wrote:

>> Does the other end run strongswan? It is not handling RSA-PSS properly
>> as per RFC. If you were using the libreswan default of authba=yrsasig, you
>> can try changing it to authby=rsa-sha1 to disable all RC 7427 support.
> Linux strongSwan U5.3.5/K4.4.145.e3.1
> Look like it :-(
> However, I was using authby=rsasig already which *was* working.

Yes. This used to mean "rsa-sha1". Now it means "rsa-sha1,rsa-sha2".
This triggers a bug in strongswan. which returns ONLY an RFC 7427 style
SHA1, which RFC 8247 disallows. Besides, we did not advertise support
for SHA1 using RFC 7427 style support, so they are not allowed to
"select" it. You can either reconfigure strongswan or go back to
only using sha1 and not sha1,sha2.

>>> responding to Main Mode from unknown peer
>>> OAKLEY_GROUP 2 not supported.  Attribute OAKLEY_GROUP_DESCRIPTION
>> If you _really_ want you can enable it at compile time with USE_DH2=true
> Ain't going to happen :-( Easier just to use 3.29 (and there is the nub
> of the problem)

Then there is no more hope for you in the future. Your VPNs are insecure
against the most powerful attackers, and any future bugs and features
you will miss. If you cannot update a configuration in 20 years, then
you are simply not offering security services. Sorry. You can tell your
client the author of RFC 8247 and RFC 8221 said so.

> Someone ought to tell Google to fix their crappy phone system then ;-)
> That is an Android v10 ipsec l2tpd connection....

I've been shaming google android for years at every change I get.
Speaking to their developers and at conferences. Android 11 will have
IKEv2 finally. But I guess you might need 5 years for the phones to
upgrade or be replaced to get the feature.

> Why on earth don't they do something? Or have the nation states asked
> them not too?

Google is a TLS organization. their business model is "host all your
data with us, behind TLS, and you won't need a VPN". It took a lot of
shaming for them to finally work on this. (also they needed to write
it from scratch because all opensource IKEv2 was/is basically GPL, not
BSD licensed)

> (we are using ipsec/l2tpd for mobile remote access - as opposed to
> network-network tunnels - because it is on most devices by default and
> can be easily linked to the local user for allowing access and IP
> allocation etc - IKE v2 doesn't handle Pam Authent as far as I can see.....)

yeah, for IKEv2 you need EAP-TLS or EAP-mschapv2, which libreswan does
not yet support :/


More information about the Swan mailing list