ok, thank you.<div id="yMail_cursorElementTracker_1587879979492"><br></div><div id="yMail_cursorElementTracker_1587879979654">cheers,</div><div id="yMail_cursorElementTracker_1587879981876">john<br id="yMail_cursorElementTracker_1587879973318"><br><div id="ymail_android_signature"><a id="ymail_android_signature_link" href="https://go.onelink.me/107872968?pid=InProduct&c=Global_Internal_YGrowth_AndroidEmailSig__AndroidUsers&af_wl=ym&af_sub1=Internal&af_sub2=Global_YGrowth&af_sub3=EmailSignature">Sent from Yahoo Mail on Android</a></div> <br> <blockquote style="margin: 0 0 20px 0;"> <div style="font-family:Roboto, sans-serif; color:#6D00F6;"> <div>On Thu, 23 Apr 2020 at 8:47 PM, Paul Wouters</div><div><paul@nohats.ca> wrote:</div> </div> <div style="padding: 10px 0 0 20px; margin: 10px 0 0 0; border-left: 1px solid #6D00F6;"> On Thu, 23 Apr 2020, John Serink wrote:<div class="yqt1132591644 yQTDBase" id="yqtfd15120"><br clear="none"><br clear="none">> I'm on gentoo and I upgraded to 3.31 which broke all of my tunnels.<br clear="none">> I'm connecting to a Cisco IOS and Digi Transport routers and the tunnels to the Cisco broke.<br clear="none">> I'm sure the reason is this:<br clear="none">> <br clear="none">>      ike=aes128-md5;modp1024<br clear="none">>      phase2alg=aes128-md5;modp1024<br clear="none">> <br clear="none">> Is there any way to "encourage" V3.31 to support the modp1024?</div><br clear="none"><br clear="none">You have to recompile with with USE_DH2=true<br clear="none"><br clear="none">Of course, it is strongly recommended you do not do this and fix those<br clear="none">tunnel configurations to not use crypto parameters from the 1990's.<br clear="none"><br clear="none">See RFC 8247 <a shape="rect" href="https://tools.ietf.org/html/rfc8247" target="_blank">https://tools.ietf.org/html/rfc8247</a><br clear="none"><br clear="none">    Group 2 or the 1024-bit MODP Group has been downgraded from MUST- in<br clear="none">    RFC 4307 to SHOULD NOT.  It is known to be weak against sufficiently<br clear="none">    funded attackers using commercially available mass-computing<br clear="none">    resources, so its security margin is considered too narrow.  It is<br clear="none">    expected in the near future to be downgraded to MUST NOT.<br clear="none"><br clear="none">Paul<div class="yqt1132591644 yQTDBase" id="yqtfd23729"><br clear="none"></div> </div> </blockquote></div>