Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Modify default cipher suite for IKEv2 #981

Closed
dguido opened this issue May 31, 2018 · 7 comments
Closed

Modify default cipher suite for IKEv2 #981

dguido opened this issue May 31, 2018 · 7 comments
Assignees
@jackivanov

Comments

@dguido
Copy link
Member

dguido commented May 31, 2018
edited
Loading

As of August 2015, NSA recommends a stronger set of algorithms than the ones we currently configure. These changes were made to provide improved resistance to theoretical attacks from quantum computers.

The current cipher suite is:

  • ike: aes128gcm16-prfsha512-ecp256!
  • esp: aes128gcm16-ecp256!

The new proposed cipher suite is:

  • ike: aes256gcm16-prfsha512-ecp384!
  • esp: aes256gcm16-ecp384!

The primary changes are that:

  • Bulk encryption is moved from AES-128 to 256 w/ no changes to the mode (still GCM)
  • The DH group is moved from NIST P-256 to P-384

More information about available cipher suites for IKEv2 is available in the StrongSwan documentation.
@ndtob
Copy link

ndtob commented May 31, 2018

In addition to these changes, changes in the resulting iOS profile will be required:

Current:

                    <key>DiffieHellmanGroup</key>
                    <integer>19</integer>
                    <key>EncryptionAlgorithm</key>
                    <string>AES-128-GCM</string>

Change to:

                    <key>DiffieHellmanGroup</key>
                    <integer>20</integer>
                    <key>EncryptionAlgorithm</key>
                    <string>AES-256-GCM</string>

@jackivanov jackivanov mentioned this issue Jun 4, 2018
Merged
@pguizeline
Copy link
Contributor

On iOS it runs great! But on Windows 10 I get the following message when trying to activate the VPN:
"IKE failed to find valid machine certificate. Contact your Network Security Administrator about installing a valid certificate in the appropriate Certificate Store."

I'm running Windows 10 Pro version 1803 build 17134.48

@jackivanov
Copy link
Collaborator

Could anybody provide some debug information from windows 10, please?

@pguizeline
Copy link
Contributor

pguizeline commented Jun 4, 2018
edited
Loading

I still have the profile installed on this machine, I just don't know where to look.

@jackivanov
Copy link
Collaborator

For some reason that's happening because of switching from ECP256 to ECP384

@jackivanov
Copy link
Collaborator

I forgot to switch the ec params. Should work now. ping @pguizeline

@pguizeline
Copy link
Contributor

pguizeline commented Jun 6, 2018
edited by jackivanov
Loading

Hi Jack! The VPN now works on Windows 10 with the latest changes.

I've tested:

  • - iOS (failed)
  • - macOS
  • - Windows 10 (worked)
  • - Android
  • - Linux

The iOS seems to be unable to connect, I'm using the latest 11.4

I can test macOS later today. Thanks for all your help!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jackivanov jackivanov

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@dguido @ndtob @pguizeline @jackivanov