[Openswan Users] Cipher support for Openswan
neal.p.murphy at alum.wpi.edu
Thu Feb 12 14:30:10 EST 2015
On Thursday, February 12, 2015 01:28:57 PM Mihir Shirali -X (mshirali -
INFOSYS LIMITED at Cisco) wrote:
> Thanks for the responses!
> We're not using DES by default. We give the users an interface to choose
> the algorithm they wish to. I do see with DES, OpenSwan complains about it
> being weak. I was wondering if there is a list of weak ciphers available
> or ones which have been discontinued from OpenSwan. The "ipsec auto
> --status" command helped.
As far as I know, DES is the only one that has been discontinued (barred)
because it is so weak. I've been told it is about as strong as plain text and
that 3DES is only slightly better. The rest of the methods, especially the
newest algorithms, should be adequate. The best practices involve using two or
more different methods tunnelled inside each other, such as OpenVPN tunnelled
in IPSEC, or PPP over SSH tunnelled inside OpenVPN which is in turn tunnelled
inside IPSEC. If one method is compromised, the other one or two should be
strong enough to hold up. It depends on how secure you want your
communications to be.
More information about the Users