I have an IPSec tunnel configured with a third party that has informed me they require a config change this week and it's been nearly a year since I last touched this so I'm knocking the rust off my Libreswan-Fu. Below are the original specs from the third party and the current tunnel config that is working as well as the new specs. Can someone give some guidance what changes I need to make on the new config? PFS=yes seems obvious and I assume ike and phase2alg values need to change some guidance would be super helpful.
Orig Specs Support Key Exchanged for Subnets: ON IKE Encryption MethoId: AES256 SHA IKE Diffie-Hellman Groups for Phase 1: Group 2 (1024 bit) IKE (Phase-1) Timeout: 1440 Min IPSEC Encryption Method: AES256 SHA IPSEC (Phase-2) Timeout: 3600 Sec PFS (Perfect Forward Secrecy): Disabled Keepalive: Disabled Orig IPsec.conf conn 1 type=tunnel authby=secret initial-contact=yes encapsulation=yes rekey=yes auto=start pfs=no ikelifetime=1440m salifetime=60m ike=aes256-sha1;dh2 phase2alg=aes256-sha1;modp1024 aggrmode=no left=%defaultroute New Specs: IKE Version:IKEv2 Phase - 1 Parameters Encryption Algorithm: AES-GCM-256 Integrity algorithm: Null Diffie-Hellman group: Group 24 Phase-1 lifetime (Secs/KB): 86400 sec Phase - 2 Parameters Encryption & Integrity algorithm: ESP-GCM-256 Integrity algorithm: Null PFS: Yes Diffie-Hellman group (IF PFS = Yes):Group 24 Phase-2 Lifetime (Secs/KB): 3600 sec New IPsec.conf conn 1 type=tunnel authby=secret initial-contact=yes encapsulation=yes rekey=yes auto=start pfs=yes ikelifetime=1440m salifetime=60m ike=?? phase2alg=?? aggrmode=no left=%defaultroute
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
