From 99d306f12b4ff1bdbaf83d3f4d5685560f53377c Mon Sep 17 00:00:00 2001 From: Adrian Calinescu Date: Fri, 13 Aug 2021 11:31:15 +0300 Subject: [PATCH] Fix - Azure only supports DH Group 2 by default and StrongSwan has deprecated it By Default Azure VPN gateways only accept DH Group 2 (-modp1024). Since StrongSwan has deprecated DH Group 2 we need to manually add it in. ## SECURITY WARNING: DH Group 2 is now considered insecure, you should add a Connection policy on Azure side that uses DH Group 24 (-modp2048s256) or a more secure one (EC). ``` ike=aes256-sha384-modp1024 ``` --- StrongSwan/5.3.5/ipsec.conf | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/StrongSwan/5.3.5/ipsec.conf b/StrongSwan/5.3.5/ipsec.conf index c440317..92ba472 100644 --- a/StrongSwan/5.3.5/ipsec.conf +++ b/StrongSwan/5.3.5/ipsec.conf @@ -11,4 +11,11 @@ conn azure right=4.3.2.1 #Azure Dynamic Gateway's IP address rightsubnet=10.11.0.0/16,10.12.0.0/16 #Azure VNET address space auto=route - keyexchange=ikev2 # Mandatory for Dynamic / Route-based gateway \ No newline at end of file + keyexchange=ikev2 # Mandatory for Dynamic / Route-based gateway + # By Default Azure VPN gateways only accept DH Group 2 (-modp1024). Since StrongSwan has + # deprecated DH Group 2 we need to manually add it in. + # SECURITY WARNING: + # DH Group 2 is now considered insecure, you should add a Connection policy on + # Azure side that uses DH Group 24 (-modp2048s256) or a more secure one (EC). + # Use strongswan stroke up to see if proposals match. + ike=aes256-sha384-modp1024