IPSec Tunnel's Encryption Settings Mismatch

In our forthcoming release, which focuses on performance and future-proofing the underlying Smoothwall infrastructure, the IPSec tunnels' encryption will be tightened.

IPSec encryption settings will be strictly enforced — both ends of the tunnel must use the same encryption key. Previously, a mismatch was allowed.

This release informs you when a mismatch is found in a connected tunnel; providing the opportunity to resolve the mismatch before upgrading to the next release, where such a mismatch will cause the tunnels to not connect. Note that the local and remote ends of the tunnel must be connected for a mismatch to be detected, and hence the warning shown. There is no way to preempt or detect a mismatch in encryption settings in unconnected tunnels.

What do I need to do?

Before installing the next castle release, you must check the following for each IPSec tunnel:

Matching phase 1 and phase 2 cryptographic algo
Matching phase 1 and phase 1 hash algo
Matching phase 1 and phase 2 key sizes

These settings are found in the Smoothwall administration user interface, Network > VPN > IPSec subnets page — you must edit each tunnel separately. For a detailed description of how to do this, see Creating an IPSec Subnet VPN .

Smoothwall supports the following:

Setting

Selection

Encryption

AES — with 128- or 256-bit keys

or

3DES

Authentication type

AH

ESP

Hashing algorithm

SHA1

The use of MD5 hashing is not recommended, although will continue to be supported for backwards compatibility.

What about Diffie-Hellman Groups?

At the time of writing, you cannot change the Diffie-Hellman key exchange group through the Smoothwall administration user interface for the configured tunnels — Diffie-Hellman key exchange group 2 (1024-bit), and group 5 (1536-bit) are supported. However, it should be noted that when the Smoothwall is the end of the tunnel initiating the connection, it will propose using group 5. When the remote end is the initiator, it can propose either group 2 or group 5, but you should ensure both match before installing the next release.

Note: Support for 1024-bit Diffie-Hellman groups may be deprecated in a future release

Following an update to the next castle release, Diffie-Hellman key exchange group 14 (2048-bit) will also be supported.