Discussion:
[Swan] Phase 1 and Phase 2 Paramers ?
Sceekar O.
2018-04-29 12:56:59 UTC
Permalink
Hello --,

I have recently configured a VPN on Debian 9 using the auto script here -
https://github.com/hwdsl2/setup-ipsec-vpn

hwdsl2/setup-ipsec-vpn is based on Libreswan/strongSwan I believe.

However, I received a *Form* from a site I want to connect to, to
provide *Phase
1* and *Phase 2* parameters for my VPN setup; and I'm not sure what the
right values are.

If you can help me fill in the right parameters for each " ? " in the form
below, I would be most grateful.

Thanks.


*The Form*

* End Point Device* *The site's details* *My details
(hwdsl2/setup-ipsec-vpn)* *Comments*



VPN device type/model JUNIPER SSG550 ? Equipment



* ISAKMP SA*


ISAKMP SA Authentication Method pre-shared ? Phase 1 IPSEC Tunnel
ISAKMP SA Key To be shared ? Phase 1 IPSEC Tunnel
ISAKMP SA Hash Algorithm SHA ? Phase 1 IPSEC Tunnel
ISAKMP SA Encryption Algorithm 3DES ? Phase 1 IPSEC Tunnel
ISAKMP SA Diffie-Hellman Group 2 ? Phase 1 IPSEC Tunnel
ISAKMP SA Life Duration 28800 ? Phase 1 IPSEC Tunnel
ISAKMP SA Vendor-ID disable ? Phase 1 IPSEC Tunnel
ISAKMP SA IKE KeepAlive disable ? Phase 1 IPSEC Tunnel
ISAKMP SA IKE DPD KeepAlive disable ? Phase 1 IPSEC Tunnel



* IPSec SA*


IPSec SA – IPSEC Protocol ESP ? Phase 2 IPSEC Tunnel
IPSec SA – Mode tunnel ? Phase 2 IPSEC Tunnel
IPSec SA – Hash Algorithm SHA ? Phase 2 IPSEC Tunnel
IPSec SA – Encryption Algorithm 3DES ? Phase 2 IPSEC Tunnel
IPSec SA – Life Type 3600 ? Phase 2 IPSEC Tunnel
IPSec SA – PFS enable ? Phase 2 IPSEC Tunnel
IPSec SA – PFS D-H Group group2 ? Phase 2 IPSEC Tunnel
IPSec SA – Compression LZS disable ? Phase 2 IPSEC Tunnel
Paul Wouters
2018-04-29 16:15:45 UTC
Permalink
However, I received a Form from a site I want to connect to, to provide Phase 1 and Phase 2 parameters for my VPN
setup; and I'm not sure what the right values are.
If you can help me fill in the right parameters for each  " ? " in the form below, I would be most grateful.
   ISAKMP SA Authentication Method
pre-shared
authby=secret
 ?
Phase 1  IPSEC Tunnel
   ISAKMP SA Key
To be shared
 ?
Phase 1  IPSEC Tunnel
   ISAKMP SA Hash Algorithm
SHA
 ?
Phase 1  IPSEC Tunnel
   ISAKMP SA Encryption Algorithm
3DES
 ?
Phase 1  IPSEC Tunnel
   ISAKMP SA Diffie-Hellman Group
2
 ?
based on these obsoleted ancient unwise parameters, I assume this is
ikev2=never

ike=3des-sha1;modp1024

However, note that Diffie-Hellman Group 2 is OBSOLETE and has been
changed to MUST NOT be implemented in RFC-8247. At the moment, this
DH group is removed from the default but still allowed to be configured.
But very soon this will be removed as it is simply too weak, and your
VPN might break on a libreswan update next year.

version of libreswan it might no longer be possible to
Phase 1  IPSEC Tunnel
   ISAKMP SA Life Duration
28800
 ?
not negotiated, no option needed.
Phase 1  IPSEC Tunnel
   ISAKMP SA Vendor-ID
disable
 ?
Phase 1  IPSEC Tunnel
   ISAKMP SA IKE KeepAlive
disable
 ?
same
Phase 1  IPSEC Tunnel
   ISAKMP SA IKE DPD KeepAlive
disable
 ?
Phase 1  IPSEC Tunnel
unwise but means no config option needed.
   IPSec SA
   IPSec SA – IPSEC Protocol
ESP
 ?
Phase 2  IPSEC Tunnel
   IPSec SA – Mode
tunnel
 ?
Phase 2  IPSEC Tunnel
   IPSec SA – Hash Algorithm
SHA
 ?
Phase 2  IPSEC Tunnel
   IPSec SA – Encryption Algorithm
3DES
 ?
esp=3des-sha1
Phase 2  IPSEC Tunnel
   IPSec SA – Life Type
3600
 ?
Phase 2  IPSEC Tunnel
   IPSec SA – PFS
enable
pfs=yes
 ?
Phase 2  IPSEC Tunnel
   IPSec SA – PFS D-H Group
group2
 ?
Phase 2  IPSEC Tunnel
   IPSec SA – Compression LZS
disable
 ?
ipcomp=no (but that is the default already)


Your partner side needs to update their 90s crypto to the standards of
today.

Paul
Sceekar O.
2018-04-29 18:20:49 UTC
Permalink
Hello Paul,

Thanks a lot for your detailed response - well received.

Regards,
However, I received a Form from a site I want to connect to, to
provide Phase 1 and Phase 2 parameters for my VPN
setup; and I'm not sure what the right values are.
If you can help me fill in the right parameters for each " ? " in the
form below, I would be most grateful.
ISAKMP SA Authentication Method
pre-shared
authby=secret
?
Phase 1 IPSEC Tunnel
ISAKMP SA Key
To be shared
?
Phase 1 IPSEC Tunnel
ISAKMP SA Hash Algorithm
SHA
?
Phase 1 IPSEC Tunnel
ISAKMP SA Encryption Algorithm
3DES
?
Phase 1 IPSEC Tunnel
ISAKMP SA Diffie-Hellman Group
2
?
based on these obsoleted ancient unwise parameters, I assume this is
ikev2=never
ike=3des-sha1;modp1024
However, note that Diffie-Hellman Group 2 is OBSOLETE and has been
changed to MUST NOT be implemented in RFC-8247. At the moment, this
DH group is removed from the default but still allowed to be configured.
But very soon this will be removed as it is simply too weak, and your
VPN might break on a libreswan update next year.
version of libreswan it might no longer be possible to
Phase 1 IPSEC Tunnel
ISAKMP SA Life Duration
28800
?
not negotiated, no option needed.
Phase 1 IPSEC Tunnel
ISAKMP SA Vendor-ID
disable
?
Phase 1 IPSEC Tunnel
ISAKMP SA IKE KeepAlive
disable
?
same
Phase 1 IPSEC Tunnel
ISAKMP SA IKE DPD KeepAlive
disable
?
Phase 1 IPSEC Tunnel
unwise but means no config option needed.
IPSec SA
IPSec SA – IPSEC Protocol
ESP
?
Phase 2 IPSEC Tunnel
IPSec SA – Mode
tunnel
?
Phase 2 IPSEC Tunnel
IPSec SA – Hash Algorithm
SHA
?
Phase 2 IPSEC Tunnel
IPSec SA – Encryption Algorithm
3DES
?
esp=3des-sha1
Phase 2 IPSEC Tunnel
IPSec SA – Life Type
3600
?
Phase 2 IPSEC Tunnel
IPSec SA – PFS
enable
pfs=yes
?
Phase 2 IPSEC Tunnel
IPSec SA – PFS D-H Group
group2
?
Phase 2 IPSEC Tunnel
IPSec SA – Compression LZS
disable
?
ipcomp=no (but that is the default already)
Your partner side needs to update their 90s crypto to the standards of
today.
Paul
Loading...