koral--
commented
3 years ago This step only invokes vpnc shell command. I think such request should be directed to ubuntu repository maintainers. Unless you have another idea.
Open PetrHula opened 3 years ago
koral--
commented
3 years ago This step only invokes vpnc shell command. I think such request should be directed to ubuntu repository maintainers. Unless you have another idea.
PetrHula
commented
3 years ago Well, ok - you are probably right... So I opened ticket on askubuntu... No reply so far https://askubuntu.com/questions/1317051/vpnc-modp2048-ike-support
koral--
commented
3 years ago If that package is no longer maintained by official ubuntu repositories we may add some PPA. Assuming that some upstream provides updated vpnc. From what I can see the latest official version is from 2008: https://www.unix-ag.uni-kl.de/~massar/vpnc/
Support of modp2048 IKE seems to be missing in the plugin. When I set "IKE DH group 14" to config file, the result is: vpnc: IKE DH Group "14" unsupported The only supported is modp1024, but it is broken and not recommended: https://wiki.strongswan.org/projects/strongswan/wiki/SecurityRecommendations Thats why we need stronger IKE: https://wiki.strongswan.org/projects/strongswan/wiki/IKEv1CipherSuites https://wiki.strongswan.org/versions/67
The full config: Local Port 0 IPSec gateway XXXX IPSec ID XXXX IPSec secret XXXX IKE Authmode psk Xauth username XXXX Xauth password XXXX NAT Traversal Mode cisco-udp IKE DH group 14
Result: vpnc: IKE DH Group "14" unsupported