Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
22.1 Legacy Series
»
ipsec: remove hashes and algorithms no longer supported by FreeBSD 13
« previous
next »
Print
Pages: [
1
]
Author
Topic: ipsec: remove hashes and algorithms no longer supported by FreeBSD 13 (Read 4207 times)
olest
Jr. Member
Posts: 69
Karma: 3
ipsec: remove hashes and algorithms no longer supported by FreeBSD 13
«
on:
January 25, 2022, 03:35:10 pm »
ipsec: remove hashes and algorithms no longer supported by FreeBSD 13
Does this mean that 3des, sha1 and md5 is no longer supported in IPSEC tunnels?
Logged
jclendineng
Full Member
Posts: 153
Karma: 7
Re: ipsec: remove hashes and algorithms no longer supported by FreeBSD 13
«
Reply #1 on:
January 25, 2022, 05:35:29 pm »
Honestly, you should not be using those for ANYTHING...they have been insecure for literally years...
Logged
franco
Administrator
Hero Member
Posts: 17661
Karma: 1611
Re: ipsec: remove hashes and algorithms no longer supported by FreeBSD 13
«
Reply #2 on:
January 26, 2022, 08:39:24 am »
In practice it means that Phase 2 MD5 as well as Blowfish, DES, 3DES and CAST128 are no longer supported. Since phase 1 keeps working (supplied by StrongSwan itself) and phase 2 is a multi-select it should be trivial to update your tunnels to secure standards.
Cheers,
Franco
Logged
olest
Jr. Member
Posts: 69
Karma: 3
Re: ipsec: remove hashes and algorithms no longer supported by FreeBSD 13
«
Reply #3 on:
January 26, 2022, 10:20:45 am »
Ok.
Just needed to know what I might brake with the update, so I can check setup at customers before update.
Logged
franco
Administrator
Hero Member
Posts: 17661
Karma: 1611
Re: ipsec: remove hashes and algorithms no longer supported by FreeBSD 13
«
Reply #4 on:
January 26, 2022, 10:48:10 am »
We will make sure to mention that particular change in multiple update messages
Cheers,
Franco
Logged
olest
Jr. Member
Posts: 69
Karma: 3
Re: ipsec: remove hashes and algorithms no longer supported by FreeBSD 13
«
Reply #5 on:
January 26, 2022, 11:06:48 am »
perfect.
Just ran into a little problem.
I was able to configure Phase 1 using IKEv1 with:
IKE:AES_GCM_16_128/PRF_AES128_XCBC/MODP_2048
But this is not supported with IKEv1.
«
Last Edit: January 26, 2022, 11:14:59 am by olest
»
Logged
olest
Jr. Member
Posts: 69
Karma: 3
Re: ipsec: remove hashes and algorithms no longer supported by FreeBSD 13
«
Reply #6 on:
January 26, 2022, 11:38:23 am »
Also when I setup with Hash alg. AES-XCBC in phase 1 and nothing in phase 2 the "VPN: IPsec: Security Association Database" list Auth alg. as replay=0 or replay=4.
Is this expected?
Logged
franco
Administrator
Hero Member
Posts: 17661
Karma: 1611
Re: ipsec: remove hashes and algorithms no longer supported by FreeBSD 13
«
Reply #7 on:
January 26, 2022, 12:25:31 pm »
You can raise a ticket for this. Looks like IKEv1 is next in line for removal either way
Cheers,
Franco
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
22.1 Legacy Series
»
ipsec: remove hashes and algorithms no longer supported by FreeBSD 13