starred/docker-ipsec-vpn-server
1
0
Fork 0
mirror of https://github.com/hwdsl2/docker-ipsec-vpn-server.git synced 2026-04-26 01:55:53 +03:00
Code Issues Projects Releases Packages Wiki Activity

[GH-ISSUE #66] Please use secure ciphers #58

New issue
Closed
opened 2026-03-02 07:11:25 +03:00 by kerem · 1 comment
kerem commented 2026-03-02 07:11:25 +03:00
Owner
Copy link

Originally created by @songgao on GitHub (Apr 7, 2018).
Original GitHub issue: https://github.com/hwdsl2/docker-ipsec-vpn-server/issues/66

In an old article for openswan, some of these were specifically marked as broken.

Is there a specific reason why old broken ciphers are included in the ike= list? If there are old platforms that this intends to support, and they only support some of these ciphers, perhaps the docs could mention it.

For macOS and iOS, it seems ike=aes256-sha2;dh14 is a sensible choice, as Apple added DH group 14 for both Cisco IPSec and L2TP/IPSec since iOS 9.3 and OS X 10.11.4 (link). I haven't tested on other platforms though.

Originally created by @songgao on GitHub (Apr 7, 2018). Original GitHub issue: https://github.com/hwdsl2/docker-ipsec-vpn-server/issues/66 In an [old article for openswan](https://wiki.strongswan.org/projects/strongswan/wiki/SecurityRecommendations), some of [these](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/00e3e719b95b73e3e7c7e8ad5e06fdace0873366/run.sh#L134) were specifically marked as broken. Is there a specific reason why old broken ciphers are included in the `ike=` list? If there are old platforms that this intends to support, and they only support some of these ciphers, perhaps the docs could mention it. For macOS and iOS, it seems `ike=aes256-sha2;dh14` is a sensible choice, as Apple added DH group 14 for both Cisco IPSec and L2TP/IPSec since iOS 9.3 and OS X 10.11.4 ([link](https://support.apple.com/en-us/HT206154)). I haven't tested on other platforms though.
kerem closed this issue 2026-03-02 07:11:25 +03:00
kerem commented 2026-03-02 07:11:26 +03:00
Author
Owner
Copy link

@hwdsl2 commented on GitHub (May 14, 2018):

@songgao Thank you for suggesting more secure ciphers for the VPN configuration. The ciphers in your linked article are not really "broken", although they may be less secure than others.

Unfortunately for compatibility with Windows clients, modp1024 must be enabled. The current group of ciphers trys to maintain compatibility with VPN clients on different platforms.

<!-- gh-comment-id:388704587 --> @hwdsl2 commented on GitHub (May 14, 2018): @songgao Thank you for suggesting more secure ciphers for the VPN configuration. The ciphers in your linked article are not really "broken", although they may be less secure than others. Unfortunately for compatibility with Windows clients, modp1024 must be enabled. The current group of ciphers trys to maintain compatibility with VPN clients on different platforms.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
No results found.
Labels
Clear labels   
bug

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question
No labels
bug
pull-request
question
question
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/docker-ipsec-vpn-server#58
No description provided.