On Thu, 23 Apr 2020, John Serink wrote:
I'm on gentoo and I upgraded to 3.31 which broke all of my tunnels.
I'm connecting to a Cisco IOS and Digi Transport routers and the tunnels to the
Cisco broke.
I'm sure the reason is this:
ike=aes128-md5;modp1024
phase2alg=aes128-md5;modp1024
Is there any way to "encourage" V3.31 to support the modp1024?
You have to recompile with with USE_DH2=true
Of course, it is strongly recommended you do not do this and fix those
tunnel configurations to not use crypto parameters from the 1990's.
See RFC 8247 https://tools.ietf.org/html/rfc8247
Group 2 or the 1024-bit MODP Group has been downgraded from MUST- in
RFC 4307 to SHOULD NOT. It is known to be weak against sufficiently
funded attackers using commercially available mass-computing
resources, so its security margin is considered too narrow. It is
expected in the near future to be downgraded to MUST NOT.
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
