[Swan] Had to downgrade from 3.31 to 3.29 to get my tunnels working again

Paul Wouters paul at nohats.ca
Thu Apr 23 12:47:28 UTC 2020

On Thu, 23 Apr 2020, John Serink wrote:

> I'm on gentoo and I upgraded to 3.31 which broke all of my tunnels.
> I'm connecting to a Cisco IOS and Digi Transport routers and the tunnels to the Cisco broke.
> I'm sure the reason is this:
>      ike=aes128-md5;modp1024
>      phase2alg=aes128-md5;modp1024
> Is there any way to "encourage" V3.31 to support the modp1024?

You have to recompile with with USE_DH2=true

Of course, it is strongly recommended you do not do this and fix those
tunnel configurations to not use crypto parameters from the 1990's.

See RFC 8247 https://tools.ietf.org/html/rfc8247

    Group 2 or the 1024-bit MODP Group has been downgraded from MUST- in
    RFC 4307 to SHOULD NOT.  It is known to be weak against sufficiently
    funded attackers using commercially available mass-computing
    resources, so its security margin is considered too narrow.  It is
    expected in the near future to be downgraded to MUST NOT.


More information about the Swan mailing list