Re: [Swan] Phase 1 and Phase 2 Paramers ?

Sun, 29 Apr 2018 09:16:19 -0700 

On Sun, 29 Apr 2018, Sceekar O. wrote:


However, I received a Form from a site I want to connect to, to provide Phase 1 
and Phase 2 parameters for my VPN
setup; and I'm not sure what the right values are.

If you can help me fill in the right parameters for each  " ? " in the form 
below, I would be most grateful.



   ISAKMP SA Authentication Method
pre-shared


authby=secret


 ?
Phase 1  IPSEC Tunnel
   ISAKMP SA Key
To be shared
 ?
Phase 1  IPSEC Tunnel
   ISAKMP SA Hash Algorithm
SHA
 ?
Phase 1  IPSEC Tunnel
   ISAKMP SA Encryption Algorithm
3DES
 ?
Phase 1  IPSEC Tunnel
   ISAKMP SA Diffie-Hellman Group
2
 ?


based on these obsoleted ancient unwise parameters, I assume this is
ikev2=never

ike=3des-sha1;modp1024

However, note that Diffie-Hellman Group 2 is OBSOLETE and has been
changed to MUST NOT be implemented in RFC-8247. At the moment, this
DH group is removed from the default but still allowed to be configured.
But very soon this will be removed as it is simply too weak, and your
VPN might break on a libreswan update next year.

version of libreswan it might no longer be possible to


Phase 1  IPSEC Tunnel
   ISAKMP SA Life Duration
28800
 ?


not negotiated, no option needed.


Phase 1  IPSEC Tunnel
   ISAKMP SA Vendor-ID
disable
 ?
Phase 1  IPSEC Tunnel
   ISAKMP SA IKE KeepAlive
disable
 ?


same


Phase 1  IPSEC Tunnel
   ISAKMP SA IKE DPD KeepAlive
disable
 ?
Phase 1  IPSEC Tunnel


unwise but means no config option needed.


   IPSec SA

   IPSec SA – IPSEC Protocol
ESP
 ?
Phase 2  IPSEC Tunnel
   IPSec SA – Mode
tunnel
 ?
Phase 2  IPSEC Tunnel
   IPSec SA – Hash Algorithm
SHA
 ?
Phase 2  IPSEC Tunnel
   IPSec SA – Encryption Algorithm
3DES
 ?


esp=3des-sha1


Phase 2  IPSEC Tunnel
   IPSec SA – Life Type
3600
 ?
Phase 2  IPSEC Tunnel
   IPSec SA – PFS
enable


pfs=yes


 ?
Phase 2  IPSEC Tunnel
   IPSec SA – PFS D-H Group
group2
 ?
Phase 2  IPSEC Tunnel
   IPSec SA – Compression LZS
disable
 ?


ipcomp=no (but that is the default already)


Your partner side needs to update their 90s crypto to the standards of
today.

Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan

Reply via email to