[Swan] Had to downgrade from 3.31 to 3.29 to get my tunnels working again
John Serink
jserink2004 at yahoo.com
Sun Apr 26 05:46:30 UTC 2020
ok, thank you.
cheers,john
Sent from Yahoo Mail on Android
On Thu, 23 Apr 2020 at 8:47 PM, Paul Wouters<paul at nohats.ca> wrote: On Thu, 23 Apr 2020, John Serink wrote:
> I'm on gentoo and I upgraded to 3.31 which broke all of my tunnels.
> I'm connecting to a Cisco IOS and Digi Transport routers and the tunnels to the Cisco broke.
> I'm sure the reason is this:
>
> ike=aes128-md5;modp1024
> phase2alg=aes128-md5;modp1024
>
> Is there any way to "encourage" V3.31 to support the modp1024?
You have to recompile with with USE_DH2=true
Of course, it is strongly recommended you do not do this and fix those
tunnel configurations to not use crypto parameters from the 1990's.
See RFC 8247 https://tools.ietf.org/html/rfc8247
Group 2 or the 1024-bit MODP Group has been downgraded from MUST- in
RFC 4307 to SHOULD NOT. It is known to be weak against sufficiently
funded attackers using commercially available mass-computing
resources, so its security margin is considered too narrow. It is
expected in the near future to be downgraded to MUST NOT.
Paul
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20200426/4e240a99/attachment.html>
More information about the Swan
mailing list