Cannot Connect to VPN

,

I am also getting error connecting VPN after the latest update to 5.5.7-200 kernel in FC31. The error message is
Failed to add connection “edc9c375-d4b7-44ca-9fd2-548d0ee639f5”: ike string error: IKE DH algorithm ‘modp1024’ is not supported
This is what we I see in libreswan man page

Weak algorithms are regularly removed from libreswan. Currently, 1DES and modp768 have been removed and modp1024 will be removed in the near future. Additionally, md5 and sha1 will be removed within the next few years. Null encryption is available, and should only be used for testing or benchmarking purposes. Please do not request for insecure algorithms to be re-added to libreswan.

Diffie-Hellman groups 19,20 and 21 from RFC- 5903 and 22, 23 and 24 from RFC-5114 are also supported. For all groups, the “dh” keyword can be used. For the MODP based groups, the modp= keyword can be used. for example ike=3des-sha1;dh19. The RFC-5114 DH groups are extremely controversial and MUST NOT be used unless forced (administratively) by the other party. Support for these groups will most likely be removed in 2017, as it cannot be proven these DH groups do not have a cryptographic trapdoor embedded in them (a backdoor by the USG who provided these primes without revealing the seeds and generation process used). Due the the weakness od DH22, support for this group is not compiled in by default and can be re-enabled using USE_DH22=true.

The modp syntax will be removed in favour of the dh syntax in the future

It looks like the last line also means that the modp setting cannot be used. Atleast the ipsec configuration looks different. My libreswan version is 3.3.0

Is there a way to force libreswan 3.3 to support modp1024 DH algorithm?

2 Likes