Hello Paul, Thanks a lot for your detailed response - well received.
Regards, On Sun, Apr 29, 2018 at 5:15 PM, Paul Wouters <[email protected]> wrote: > On Sun, 29 Apr 2018, Sceekar O. wrote: > > However, I received a Form from a site I want to connect to, to >> provide Phase 1 and Phase 2 parameters for my VPN >> setup; and I'm not sure what the right values are. >> >> If you can help me fill in the right parameters for each " ? " in the >> form below, I would be most grateful. >> > > ISAKMP SA Authentication Method >> pre-shared >> > > authby=secret > > ? >> Phase 1 IPSEC Tunnel >> ISAKMP SA Key >> To be shared >> ? >> Phase 1 IPSEC Tunnel >> ISAKMP SA Hash Algorithm >> SHA >> ? >> Phase 1 IPSEC Tunnel >> ISAKMP SA Encryption Algorithm >> 3DES >> ? >> Phase 1 IPSEC Tunnel >> ISAKMP SA Diffie-Hellman Group >> 2 >> ? >> > > based on these obsoleted ancient unwise parameters, I assume this is > ikev2=never > > ike=3des-sha1;modp1024 > > However, note that Diffie-Hellman Group 2 is OBSOLETE and has been > changed to MUST NOT be implemented in RFC-8247. At the moment, this > DH group is removed from the default but still allowed to be configured. > But very soon this will be removed as it is simply too weak, and your > VPN might break on a libreswan update next year. > > version of libreswan it might no longer be possible to > > Phase 1 IPSEC Tunnel >> ISAKMP SA Life Duration >> 28800 >> ? >> > > not negotiated, no option needed. > > Phase 1 IPSEC Tunnel >> ISAKMP SA Vendor-ID >> disable >> ? >> Phase 1 IPSEC Tunnel >> ISAKMP SA IKE KeepAlive >> disable >> ? >> > > same > > Phase 1 IPSEC Tunnel >> ISAKMP SA IKE DPD KeepAlive >> disable >> ? >> Phase 1 IPSEC Tunnel >> > > unwise but means no config option needed. > > IPSec SA >> >> IPSec SA – IPSEC Protocol >> ESP >> ? >> Phase 2 IPSEC Tunnel >> IPSec SA – Mode >> tunnel >> ? >> Phase 2 IPSEC Tunnel >> IPSec SA – Hash Algorithm >> SHA >> ? >> Phase 2 IPSEC Tunnel >> IPSec SA – Encryption Algorithm >> 3DES >> ? >> > > esp=3des-sha1 > > Phase 2 IPSEC Tunnel >> IPSec SA – Life Type >> 3600 >> ? >> Phase 2 IPSEC Tunnel >> IPSec SA – PFS >> enable >> > > pfs=yes > > ? >> Phase 2 IPSEC Tunnel >> IPSec SA – PFS D-H Group >> group2 >> ? >> Phase 2 IPSEC Tunnel >> IPSec SA – Compression LZS >> disable >> ? >> > > ipcomp=no (but that is the default already) > > > Your partner side needs to update their 90s crypto to the standards of > today. > > Paul >
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
