Disable weak IPSec encryption settings

Hi

Please is it possible to disable weak IPSec encryption ciphers on VyOS?

Hello @sinaowolabi, what do you mean?
I think you can configure any proposals which you want.

Sorry just seeing this.
I am trying to mitigate an audit check which is scanning the VyOS’s public addresses.
Its being flagged as a vulnerability and I want to be able to close it.

are you sure the finding is with vyos itself and not with services you are exposing via the public address?

I don’t have anything currently exposed beyond SSH.

So I assume the finding is with SSH ciphers, not IPSec? I’m not aware of anything in the config to limit the ciphers used for SSH.

Maybe can you share the relevant section of the scan so it’s clear what the finding is showing?

set service ssh ciphers

Should be it right?

1 Like

yep, look good.

https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67

Thanks.I will let them scan again.

can you share what command you used please?

This is what I ended up using on my config;

set service ssh ciphers 'chacha20-poly1305@openssh.com'
set service ssh ciphers 'aes256-gcm@openssh.com'
set service ssh ciphers 'aes128-gcm@openssh.com'
set service ssh key-exchange 'curve25519-sha256@libssh.org'
set service ssh key-exchange 'ecdh-sha2-nistp521'
set service ssh key-exchange 'ecdh-sha2-nistp384'
set service ssh key-exchange 'ecdh-sha2-nistp256'
set service ssh mac 'hmac-sha2-512-etm@openssh.com'
set service ssh mac 'hmac-sha2-256-etm@openssh.com'
set service ssh mac 'umac-128-etm@openssh.com'
1 Like

If you want to stay compliant with mozilla-modern, this is the config you should use

set service ssh ciphers 'chacha20-poly1305@openssh.com'
set service ssh ciphers 'aes256-gcm@openssh.com'
set service ssh ciphers 'aes128-gcm@openssh.com'
set service ssh ciphers 'aes256-ctr'
set service ssh ciphers 'aes192-ctr'
set service ssh ciphers 'aes128-ctr'

set service ssh disable-password-authentication

set service ssh key-exchange 'curve25519-sha256@libssh.org'
set service ssh key-exchange 'ecdh-sha2-nistp521'
set service ssh key-exchange 'ecdh-sha2-nistp384'
set service ssh key-exchange 'ecdh-sha2-nistp256'
set service ssh key-exchange 'diffie-hellman-group-exchange-sha256'

set service ssh mac 'hmac-sha2-512-etm@openssh.com'
set service ssh mac 'hmac-sha2-256-etm@openssh.com'
set service ssh mac 'umac-128-etm@openssh.com'
set service ssh mac 'hmac-sha2-512'
set service ssh mac 'hmac-sha2-256'
set service ssh mac 'umac-128@openssh.com'

I am so very sorry.
It was a different device at the end of the IP, not the VyOS.
My colleagues had moved the IP to a Sophos device, and the IP was mapped to its HA port.

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.