[Openswan Users] Cipher support for Openswan

Neal Murphy neal.p.murphy at alum.wpi.edu
Thu Feb 12 14:30:10 EST 2015


On Thursday, February 12, 2015 01:28:57 PM Mihir Shirali -X (mshirali - 
INFOSYS LIMITED at Cisco) wrote:
> All,
> 
> Thanks for the responses!
> 
> We're not using DES by default. We give the users an interface to choose
> the algorithm they wish to. I do see with DES, OpenSwan complains about it
> being weak. I was wondering if there is a list of weak ciphers available
> or ones which have been discontinued from OpenSwan. The "ipsec auto
> --status" command helped.

As far as I know, DES is the only one that has been discontinued (barred) 
because it is so weak. I've been told it is about as strong as plain text and 
that 3DES is only slightly better. The rest of the methods, especially the 
newest algorithms, should be adequate. The best practices involve using two or 
more different methods tunnelled inside each other, such as OpenVPN tunnelled 
in IPSEC, or PPP over SSH tunnelled inside OpenVPN which is in turn tunnelled 
inside IPSEC. If one method is compromised, the other one or two should be 
strong enough to hold up. It depends on how secure you want your 
communications to be.


More information about the Users mailing list