On Tue, 9 Jul 2019, Kaushal Shriyan wrote:
I am running libreswan version 3.29 on CentOS 7.6 and the details are as below:-
I have the below config.
conn apps-tomcat-primary
type=tunnel
authby=secret
left=%defaultroute
leftid=128.117.167.12
leftnexthop=%defaultroute
leftsubnet=128.117.167.12/32
right=126.114.94.7
rightsubnet=126.114.90.7/32
ike=aes128-sha1;modp1024
Note using DH2 makes no sense. It's too weak. libreswan-3.30 has it
compile time disabled by default.
phase2alg=aes128-sha1;modp1536
It also makes little sense to have a larger phase2 DH group.
pfs=yes
auto=start
ikev2=no
I will appreciate if you can let me know the suggested cipher suites
(encryption and authentication) to be implemented as per the above Libreswan
IPsec configuration.
It will only allow what you specified on the ike= and esp= lines. Only
if you specify nothing in the conn, do you get default ciphers eiter
from conn %default or via the system-wide crypto policies (via conn
%default).
So your ike= line will only allow AES 128 bit key, SHA1 for PRF and
INTEG, using DH2. Your esp=/phase2alg- line only allows AES 128 bit key,
SHA1 for INTEG and DH5 Quickmode/PFS.
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
