ipsec: remove hashes and algorithms no longer supported by FreeBSD 13
Does this mean that 3des, sha1 and md5 is no longer supported in IPSEC tunnels?
Honestly, you should not be using those for ANYTHING...they have been insecure for literally years...
In practice it means that Phase 2 MD5 as well as Blowfish, DES, 3DES and CAST128 are no longer supported. Since phase 1 keeps working (supplied by StrongSwan itself) and phase 2 is a multi-select it should be trivial to update your tunnels to secure standards.
Cheers,
Franco
Ok.
Just needed to know what I might brake with the update, so I can check setup at customers before update.
We will make sure to mention that particular change in multiple update messages ;)
Cheers,
Franco
perfect.
Just ran into a little problem.
I was able to configure Phase 1 using IKEv1 with:
IKE:AES_GCM_16_128/PRF_AES128_XCBC/MODP_2048
But this is not supported with IKEv1.
Also when I setup with Hash alg. AES-XCBC in phase 1 and nothing in phase 2 the "VPN: IPsec: Security Association Database" list Auth alg. as replay=0 or replay=4.
Is this expected?
You can raise a ticket for this. Looks like IKEv1 is next in line for removal either way ;)
Cheers,
Franco