[Pkg-swan-devel] Bug#883072: Bug#883072: strongswan-libcharon: Upgrade to 5.6.1-2 changed cypher proposals, can't connect to VPN anymore
Luca Niccoli
lultimouomo at gmail.com
Wed Nov 29 21:42:30 UTC 2017
That sounds totally reasonable - it would have been great if
apt-listchanges had explained to me that I might have to add back
disabled ciphers to connect to legacy VPNs.
It's a shame that Windows doesn't offer MODP-2048 by default...
Luca
On 29 November 2017 at 13:34, Yves-Alexis Perez <corsac at debian.org> wrote:
> On Wed, 2017-11-29 at 10:54 +0100, Luca Niccoli wrote:
>> Is there a specific reason the default cipher proposal by
>> strongswan doesn't offer aes256-sha256-prfsha256-modp1024 anymore?
>> Would it be possible to add it back?
>
> Hi,
>
> see the first point in https://wiki.strongswan.org/versions/67:
>
> ====
> Several algorithms were removed from the default ESP/AH and IKEv2 proposals in compliance with
> RFC 8221 and RFC 8247, respectively. Removed from the default ESP/AH proposal were the
> 3DES and Blowfish encryption algorithms and the HMAC-MD5 integrity algorithm. From the IKEv2 default
> proposal the HMAC-MD5 integrity algorithm and the MODP-1024 Diffie-Hellman group were removed (the
> latter is significant for Windows clients in their default configuration).
> These algorithms may still be used in custom proposals.
> ====
>
> We don't intend to divert from upstream on that (quite the contrary actually),
> so no we won't add it back. I'll add a note to NEWS.Debian though, so users
> are warned at upgrade time.
>
> Regards,
> --
> Yves-Alexis
More information about the Pkg-swan-devel
mailing list