customize ipsec weak cipher sets

Started by m256, November 17, 2024, 11:51:49 AM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions
December 03, 2024, 03:30:32 PM #15
Yes, some older crypto was removed from the kernel a while ago now.


Cheers,
Franco
December 13, 2025, 01:06:00 AM #16
Quote from: m256 on December 03, 2024, 03:13:12 PMSo, good news: I have tried with custom configs- created custom config file in swanctl\conf.d
I made a completely new connection with unique id and full settings. It worked - even with deprecated ciphers.
I also tried adding just an update to settings made in GUI like this:
Code Select
connections {
    con1 {
        children {
            con1 {
                esp_proposals = aes128-sha1
            }
        }
    }
}
this worked fine as well.

What does not work is 3des for ESP. This is not done by strongswan, but kernel. Adding 3des support to freebsd would likely mean kernel recompiling.
Hello,

thanks for the helpful post, it already clarified a lot. I still have a few short follow-up questions:

Which exact path did you use for the custom config? Does any file under /usr/local/etc/swanctl/conf.d/*.conf (for example custom.conf) work, or did you specifically use override.conf?

Was the connection also created in the GUI, or was it defined entirely via the custom config file?

In the partial override example using connections { con1 { children { con1 { ... }}}: do both the connection name and the child name have to match exactly the names shown by swanctl --list-conns?

After modifying the file, did you only run swanctl --load-all, or did you also click "Apply" in the GUI?

I'm asking because on OPNsense 25.1.6_4 I do not see any changes when using either /usr/local/etc/swanctl/conf.d/custom.conf or override.conf (verified with swanctl --list-conns).

Thanks for a short clarification.
Print
Go Up Pages 1 2
User actions