IPSec Tunnel's Encryption Settings Mismatch

Note: This topic applies to the Hearst Release.

IPSec encryption settings are strictly enforced — both ends of the tunnel must use the same encryption key. Previously, a mismatch was allowed.

Previously, you were advised when a mismatch was found in a connected tunnel; providing the opportunity to resolve the mismatch before upgrading to this release, where such a mismatch causes the tunnels to not connect. There is no way to preempt or detect a mismatch in encryption settings in unconnected tunnels.

What do I need to do?

You must check the following for each IPSec tunnel:

Matching phase 1 and phase 2 cryptographic algo
Matching phase 1 and phase 1 hash algo
Matching phase 1 and phase 2 key sizes

These settings are found in the Smoothwall administration user interface, Network > VPN > IPSec subnets page — you must edit each tunnel separately. For a detailed description of how to do this, see Creating an IPSec Subnet VPN .

Smoothwall supports the following:

Setting

Selection

Encryption

AES — with 128- or 256-bit keys

or

3DES

Authentication type

AH

ESP

Hashing algorithm

SHA1

The use of MD5 hashing is not recommended, although will continue to be supported for backwards compatibility.

What about Diffie-Hellman Groups?

At the time of writing, you cannot change the Diffie-Hellman key exchange group through the Smoothwall administration user interface for the configured tunnels — Diffie-Hellman key exchange group 2 (1024-bit), group 5 (1536-bit), and group 14 (2048-bit) are supported. However, it should be noted that when the Smoothwall is the end of the tunnel initiating the connection, it will propose using group 5. When the remote end is the initiator, it can propose any group, but you should ensure both match.

Note: Support for 1024-bit Diffie-Hellman groups may be deprecated in a future release