ipsec: remove hashes and algorithms no longer supported by FreeBSD 13

Started by olest, January 25, 2022, 03:35:10 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 25, 2022, 03:35:10 PM
ipsec: remove hashes and algorithms no longer supported by FreeBSD 13

Does this mean that 3des, sha1 and md5 is no longer supported in IPSEC tunnels?
January 25, 2022, 05:35:29 PM #1
Honestly, you should not be using those for ANYTHING...they have been insecure for literally years...
January 26, 2022, 08:39:24 AM #2
In practice it means that Phase 2 MD5 as well as Blowfish, DES, 3DES and CAST128 are no longer supported. Since phase 1 keeps working (supplied by StrongSwan itself) and phase 2 is a multi-select it should be trivial to update your tunnels to secure standards.


Cheers,
Franco
January 26, 2022, 10:20:45 AM #3
Ok.

Just needed to know what I might brake with the update, so I can check setup at customers before update.
January 26, 2022, 10:48:10 AM #4
We will make sure to mention that particular change in multiple update messages ;)


Cheers,
Franco
January 26, 2022, 11:06:48 AM #5 Last Edit: January 26, 2022, 11:14:59 AM by olest
perfect.

Just ran into a little problem.

I was able to configure Phase 1 using IKEv1 with:
IKE:AES_GCM_16_128/PRF_AES128_XCBC/MODP_2048

But this is not supported with IKEv1.
January 26, 2022, 11:38:23 AM #6
Also when I setup with Hash alg. AES-XCBC in phase 1 and nothing in phase 2 the "VPN: IPsec: Security Association Database" list Auth alg. as replay=0 or replay=4.

Is this expected?
January 26, 2022, 12:25:31 PM #7
You can raise a ticket for this. Looks like IKEv1 is next in line for removal either way ;)


Cheers,
Franco
Print
Go Up Pages1
User actions