[Swan] Libreswan 3.27 upgrade to 3.32 Problems IKEV1 Ciphers an DH Groups RFC4109

Paul Wouters paul at nohats.ca
Thu Jul 30 01:20:44 UTC 2020

On Wed, 29 Jul 2020, Jorge Sevillanos wrote:

> I've received a notification that version 3.27 has vulnerabilities and the solution is to update to version 3.32 or apply the patches.


> Problems with upgrading to version 3.32 is that in ikev1 configurations, some ciphers and DH groups have been deprecated. Is there something I
> can do to upgrade from 3.27 to 3.32 and use the RCF4109 which is the standard that updated de RFC2409.

Some where only no longer placed in defaults, but you can still add them
using an ike= and esp= line.

The only thing that got disabled was DH2. If you _really_ want it back,
recompile with USE_DH2=yes set in ~/libreswan/Makefile.inc.local

But anything that supports DH2, supports DH5, so it is better to upgrade
your configurations. DH2 can be broken with university budgets.


More information about the Swan mailing list