[Swan] Had to downgrade from 3.31 to 3.29 to get my tunnels working again
Paul Wouters
paul at nohats.ca
Thu Apr 23 12:47:28 UTC 2020
On Thu, 23 Apr 2020, John Serink wrote:
> I'm on gentoo and I upgraded to 3.31 which broke all of my tunnels.
> I'm connecting to a Cisco IOS and Digi Transport routers and the tunnels to the Cisco broke.
> I'm sure the reason is this:
>
> ike=aes128-md5;modp1024
> phase2alg=aes128-md5;modp1024
>
> Is there any way to "encourage" V3.31 to support the modp1024?
You have to recompile with with USE_DH2=true
Of course, it is strongly recommended you do not do this and fix those
tunnel configurations to not use crypto parameters from the 1990's.
See RFC 8247 https://tools.ietf.org/html/rfc8247
Group 2 or the 1024-bit MODP Group has been downgraded from MUST- in
RFC 4307 to SHOULD NOT. It is known to be weak against sufficiently
funded attackers using commercially available mass-computing
resources, so its security margin is considered too narrow. It is
expected in the near future to be downgraded to MUST NOT.
Paul
More information about the Swan
mailing list