On Sat, 23 Feb 2019, Paul Connolly wrote:
I have an IPSec tunnel configured with a third party that has informed me they
require a config change this week and it's been nearly a year since I last
touched this so I'm knocking the
rust off my Libreswan-Fu. Below are the original specs from the third party
and the current tunnel config that is working as well as the new specs. Can
someone give some guidance what
changes I need to make on the new config? PFS=yes seems obvious and I assume
ike and phase2alg values need to change some guidance would be super helpful.
I'm glad to see people migrating to more secure parameters. I wish more
people did that!
Orig IPsec.conf
ikelifetime=1440m
salifetime=60m
ike=aes256-sha1;dh2
phase2alg=aes256-sha1;modp1024
New Specs:
IKE Version:IKEv2
ikev2=insist
Phase - 1 Parameters
Encryption Algorithm: AES-GCM-256
Integrity algorithm: Null
Diffie-Hellman group: Group 24
Now this is tricky. They want DH24? There are issues with DH 22-24, see:
https://tools.ietf.org/html/rfc8247#section-2.4
Groups 22, 23, and 24 are MODP groups with Prime Order Subgroups that
are not safe primes. The seeds for these groups have not been
publicly released, resulting in reduced trust in these groups. These
groups were proposed as alternatives for groups 2 and 14 but never
saw wide deployment. It has been shown that group 22 with 1024-bit
MODP is too weak and academia have the resources to generate
malicious values at this size. This has resulted in group 22 to be
demoted to MUST NOT. Groups 23 and 24 have been demoted to SHOULD
NOT and are expected to be further downgraded in the near future to
MUST NOT. Since groups 23 and 24 have small subgroups, the checks
specified in the first bullet point of Section 2.2 of "Additional
Diffie-Hellman Tests for the Internet Key Exchange Protocol Version 2
(IKEv2)" [RFC6989] MUST be done when these groups are used.
libreswan supports DH 22-24 but no longer compiles support in per
default, and depending on your compile/distro, you might have to
recompile with USE_DH24=true set in Makefile.inc (or Makefile.inc.local)
If you do, then the ike= line becomes:
ike=aes_gcm256-sha2_256;dh24
But I recommend:
ike=aes_gcm256-sha2_256;dh19
Note the sha2_256 here stands for the PRF, not the INTEG (GCM is an AEAD
algorithm with builtin integrity with encryption)
Phase-1 lifetime (Secs/KB): 86400 sec
ikelifetime-86400
Phase - 2 Parameters
Encryption & Integrity algorithm: ESP-GCM-256
Integrity algorithm: Null
PFS: Yes
esp=aes_gcm256;dh19
(or dh24 see above)
The DH on the esp= line is for pfs=yes
Diffie-Hellman group (IF PFS = Yes):Group 24
Phase-2 Lifetime (Secs/KB): 3600 sec
salifetime=3600
If you upgrade these, since you are using a PSK which is vulnerable to
disctionary attacks, please use a minimal of 32 random character PSK.
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
