[Swan] libreswan upgrade on centos 7.9

Paul Wouters paul.wouters at aiven.io
Tue Oct 19 18:56:00 UTC 2021


On Tue, 19 Oct 2021, Frank Liu wrote:

> We are using libreswan 3.25 bundled with centos 7.9, having a tunnel with Cisco ASA with DPD
> enabled. Occasionally, the tunnel stops working, and a manual restart of libreswan will
> always be able to fix it.
> 
> We are thinking of upgrading to the latest 4.5 from
> https://download.libreswan.org/binaries/rhel/7/x86_64/ and see if it is more stable. Is 4.5 a
> simple drop-in upgrade to 3.25 if we do rpm -U?

It should be, yes.

Note some defaults did change which might require tweaking your config
files. A quick grep on the CHANGES file between 3.26 and 4.5 show:

* pluto: Change default ikelifetime from 1h to 8h [Paul]
* pluto: change default IKE SA lifetime from 1h to 8h [Paul]
* IKEv2: Remove SHA1 from default proposal list [Paul]
* IKEv2: Prefer RFC 7427 Digital Signatures for default authby=rsasig [Sahana]
* pluto: Add chacha20_poly1305 and curve25519 to default proposals [Paul]
* IKE: Change default connection from IKEv1 to IKEv2 [Paul]

If you did not set ike2= before, meaning you were using IKEv1, you need
to add ikev2=no

Paul


More information about the Swan mailing list