On Thu, 31 Jan 2019, Mr. Jan Walter wrote:
That's in the config already. Other ideas?
ike=aes256-sha2_512;modp2048,aes128-sha2_512;modp2048,aes256-sha2;modp1024,aes128-sha1;modp1024
esp=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes128-sha2_512,aes256-sha2_256,aes128-sha2_256,aes128-sha1,aes256-sha1
That adds the weak modp groups that windows mistakenly uses on rekey.
Note for your reference, we reported IKEv2 only using weak groups in
October 2016, and got assigned Microsoft MSRC Case: 35732. We found out
about the rekey using the bad group in Feb 2018 and notified using the
same case number.
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
