[Swan] Had to downgrade from 3.31 to 3.29 to get my tunnels working again
paul at nohats.ca
Thu Apr 23 12:47:28 UTC 2020
On Thu, 23 Apr 2020, John Serink wrote:
> I'm on gentoo and I upgraded to 3.31 which broke all of my tunnels.
> I'm connecting to a Cisco IOS and Digi Transport routers and the tunnels to the Cisco broke.
> I'm sure the reason is this:
> Is there any way to "encourage" V3.31 to support the modp1024?
You have to recompile with with USE_DH2=true
Of course, it is strongly recommended you do not do this and fix those
tunnel configurations to not use crypto parameters from the 1990's.
See RFC 8247 https://tools.ietf.org/html/rfc8247
Group 2 or the 1024-bit MODP Group has been downgraded from MUST- in
RFC 4307 to SHOULD NOT. It is known to be weak against sufficiently
funded attackers using commercially available mass-computing
resources, so its security margin is considered too narrow. It is
expected in the near future to be downgraded to MUST NOT.
More information about the Swan