On Tue, 16 Jul 2024, Jakob Moller via Swan-dev wrote:
First of all, thanks for maintaining such an awesome Project!
Thanks :)
I'm currently navigating through the libreswan docs
(https://libreswan.org/man/ipsec.conf.5.html) in
search of the default settings used for the esp encryption. As I understand
from the documentation this
applies:
The supported algorithms depend on the libreswan version, OS and kernel stack used. Possible ciphers are
aes, 3des, aes_ctr, aes_gcm, aes_ccm, camellia and chacha20_poly1305.
Now my issue: I have an exact libreswan, OS and kernel configuration but would
like to figure out what
these defaults are before actually setting up a tunnel. Would it be possible to
share with me how these
"secure defaults" are generated?
It's complicated because libreswan also supports the Fedora/RHEL
systemwide crypto-policies. So likely, your defaults are defined
in /etc/crypto-policies/back-ends/libreswan.config
on rawhide, this shows me:
conn %default
ike=aes_gcm256-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18
,chacha20_poly1305-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes
256-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes_gcm128-sha2_51
2+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes128-sha2_256-dh19+dh14+dh3
1+dh21+dh20+dh15+dh16+dh18
esp=aes_gcm256,chacha20_poly1305,aes256-sha2_512+sha1+sha2_256,aes_gcm12
8,aes128-sha1+sha2_256
authby=ecdsa-sha2_256,ecdsa-sha2_384,ecdsa-sha2_512,rsa-sha2_256,rsa-sha
2_384,rsa-sha2_512
which overrides any compiled in defaults.
Note that this does depend on /etc/ipsec.conf including crypto-policies,
eg containing the line:
include /etc/crypto-policies/back-ends/libreswan.config
Paul
_______________________________________________
Swan-dev mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan-dev
