That sounds totally reasonable - it would have been great if apt-listchanges had explained to me that I might have to add back disabled ciphers to connect to legacy VPNs. It's a shame that Windows doesn't offer MODP-2048 by default...
Luca On 29 November 2017 at 13:34, Yves-Alexis Perez <cor...@debian.org> wrote: > On Wed, 2017-11-29 at 10:54 +0100, Luca Niccoli wrote: >> Is there a specific reason the default cipher proposal by >> strongswan doesn't offer aes256-sha256-prfsha256-modp1024 anymore? >> Would it be possible to add it back? > > Hi, > > see the first point in https://wiki.strongswan.org/versions/67: > > ==== > Several algorithms were removed from the default ESP/AH and IKEv2 > proposals in compliance with > RFC 8221 and RFC 8247, respectively. Removed from the default ESP/AH > proposal were the > 3DES and Blowfish encryption algorithms and the HMAC-MD5 integrity > algorithm. From the IKEv2 default > proposal the HMAC-MD5 integrity algorithm and the MODP-1024 > Diffie-Hellman group were removed (the > latter is significant for Windows clients in their default configuration). > These algorithms may still be used in custom proposals. > ==== > > We don't intend to divert from upstream on that (quite the contrary actually), > so no we won't add it back. I'll add a note to NEWS.Debian though, so users > are warned at upgrade time. > > Regards, > -- > Yves-Alexis
