Building your config file to conform Suite B RFC 6379 is a good reference.
https://datatracker.ietf.org/doc/rfc6379/?include_text=1 > On Jul 9, 2019, at 1:06 AM, Kaushal Shriyan <[email protected]> wrote: > > Thanks Paul for the help and much appreciated. > >> On Tue, Jul 9, 2019 at 9:12 AM Paul Wouters <[email protected]> wrote: >> On Tue, 9 Jul 2019, Kaushal Shriyan wrote: >> >> > I am running libreswan version 3.29 on CentOS 7.6 and the details are as >> > below:- >> >> > I have the below config. >> > >> > conn apps-tomcat-primary >> > type=tunnel >> > authby=secret >> > left=%defaultroute >> > leftid=128.117.167.12 >> > leftnexthop=%defaultroute >> > leftsubnet=128.117.167.12/32 >> > right=126.114.94.7 >> > rightsubnet=126.114.90.7/32 >> > ike=aes128-sha1;modp1024 >> >> Note using DH2 makes no sense. It's too weak. libreswan-3.30 has it >> compile time disabled by default. >> >> > phase2alg=aes128-sha1;modp1536 >> >> It also makes little sense to have a larger phase2 DH group. >> >> > pfs=yes >> > auto=start >> > ikev2=no >> > >> > >> > I will appreciate if you can let me know the suggested cipher suites >> > (encryption and authentication) to be implemented as per the above >> > Libreswan IPsec configuration. >> >> It will only allow what you specified on the ike= and esp= lines. Only >> if you specify nothing in the conn, do you get default ciphers eiter >> from conn %default or via the system-wide crypto policies (via conn >> %default). >> >> So your ike= line will only allow AES 128 bit key, SHA1 for PRF and >> INTEG, using DH2. Your esp=/phase2alg- line only allows AES 128 bit key, >> SHA1 for INTEG and DH5 Quickmode/PFS. >> >> Paul > _______________________________________________ > Swan mailing list > [email protected] > https://lists.libreswan.org/mailman/listinfo/swan
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
