ipsec: adding new key-proposal that we wanna move towards to. once rolled out, we'd like to deprecate the old weak ones

2018-10-26 21:46:49 +02:00 · 2018-10-26 21:46:49 +02:00 · 467548f6e8
parent 056ca4c6ea
commit 467548f6e8
1 changed files with 2 additions and 2 deletions
--- a/files/ipsec.conf.wit
+++ b/files/ipsec.conf.wit
@ -17,8 +17,8 @@ conn %default
    dpdaction=restart
    type=transport
    keyexchange=ikev1
-    ike=aes128-sha1-modp2048!
-    esp=aes128-sha1-modp2048!
+    ike=aes256-sha512-modp4096,aes128-sha1-modp2048!
+    esp=aes256-sha512-modp4096,aes128-sha1-modp2048!
    leftcert=FQHOSTNAME.crt
    leftid="C=US, O=Wit, CN=FQHOSTNAME"
    rightid="C=US, O=Wit, CN=*"