Thanks Paul for the help and much appreciated. On Tue, Jul 9, 2019 at 9:12 AM Paul Wouters <[email protected]> wrote:
> On Tue, 9 Jul 2019, Kaushal Shriyan wrote: > > > I am running libreswan version 3.29 on CentOS 7.6 and the details are as > below:- > > > I have the below config. > > > > conn apps-tomcat-primary > > type=tunnel > > authby=secret > > left=%defaultroute > > leftid=128.117.167.12 > > leftnexthop=%defaultroute > > leftsubnet=128.117.167.12/32 > > right=126.114.94.7 > > rightsubnet=126.114.90.7/32 > > ike=aes128-sha1;modp1024 > > Note using DH2 makes no sense. It's too weak. libreswan-3.30 has it > compile time disabled by default. > > > phase2alg=aes128-sha1;modp1536 > > It also makes little sense to have a larger phase2 DH group. > > > pfs=yes > > auto=start > > ikev2=no > > > > > > I will appreciate if you can let me know the suggested cipher suites > (encryption and authentication) to be implemented as per the above > Libreswan IPsec configuration. > > It will only allow what you specified on the ike= and esp= lines. Only > if you specify nothing in the conn, do you get default ciphers eiter > from conn %default or via the system-wide crypto policies (via conn > %default). > > So your ike= line will only allow AES 128 bit key, SHA1 for PRF and > INTEG, using DH2. Your esp=/phase2alg- line only allows AES 128 bit key, > SHA1 for INTEG and DH5 Quickmode/PFS. > > Paul >
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
