[Swan] Had to downgrade from 3.31 to 3.29 to get my tunnels working again

John Serink jserink2004 at yahoo.com
Sun Apr 26 05:46:30 UTC 2020

ok, thank you.

Sent from Yahoo Mail on Android 
  On Thu, 23 Apr 2020 at 8:47 PM, Paul Wouters<paul at nohats.ca> wrote:   On Thu, 23 Apr 2020, John Serink wrote:

> I'm on gentoo and I upgraded to 3.31 which broke all of my tunnels.
> I'm connecting to a Cisco IOS and Digi Transport routers and the tunnels to the Cisco broke.
> I'm sure the reason is this:
>      ike=aes128-md5;modp1024
>      phase2alg=aes128-md5;modp1024
> Is there any way to "encourage" V3.31 to support the modp1024?

You have to recompile with with USE_DH2=true

Of course, it is strongly recommended you do not do this and fix those
tunnel configurations to not use crypto parameters from the 1990's.

See RFC 8247 https://tools.ietf.org/html/rfc8247

    Group 2 or the 1024-bit MODP Group has been downgraded from MUST- in
    RFC 4307 to SHOULD NOT.  It is known to be weak against sufficiently
    funded attackers using commercially available mass-computing
    resources, so its security margin is considered too narrow.  It is
    expected in the near future to be downgraded to MUST NOT.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20200426/4e240a99/attachment.html>

More information about the Swan mailing list