Disable weak IPSec encryption settings

sinaowolabi · February 24, 2021, 9:50am

Hi

Please is it possible to disable weak IPSec encryption ciphers on VyOS?

Dmitry · February 24, 2021, 11:33am

Hello @sinaowolabi, what do you mean?
I think you can configure any proposals which you want.

sinaowolabi · February 25, 2021, 12:27pm

Sorry just seeing this.
I am trying to mitigate an audit check which is scanning the VyOS’s public addresses.
Its being flagged as a vulnerability and I want to be able to close it.

phillipmcmahon · February 25, 2021, 9:42pm

are you sure the finding is with vyos itself and not with services you are exposing via the public address?

sinaowolabi · February 25, 2021, 11:48pm

I don’t have anything currently exposed beyond SSH.

phillipmcmahon · February 26, 2021, 10:58am

So I assume the finding is with SSH ciphers, not IPSec? I’m not aware of anything in the config to limit the ciphers used for SSH.

Maybe can you share the relevant section of the scan so it’s clear what the finding is showing?

Critical · February 26, 2021, 6:41pm

set service ssh ciphers

Should be it right?

phillipmcmahon · February 26, 2021, 7:29pm

yep, look good.

sinaowolabi · February 26, 2021, 9:03pm

Thanks.I will let them scan again.

phillipmcmahon · February 27, 2021, 9:08am

can you share what command you used please?

phillipmcmahon · February 28, 2021, 10:18am

This is what I ended up using on my config;

set service ssh ciphers 'chacha20-poly1305@openssh.com'
set service ssh ciphers 'aes256-gcm@openssh.com'
set service ssh ciphers 'aes128-gcm@openssh.com'
set service ssh key-exchange 'curve25519-sha256@libssh.org'
set service ssh key-exchange 'ecdh-sha2-nistp521'
set service ssh key-exchange 'ecdh-sha2-nistp384'
set service ssh key-exchange 'ecdh-sha2-nistp256'
set service ssh mac 'hmac-sha2-512-etm@openssh.com'
set service ssh mac 'hmac-sha2-256-etm@openssh.com'
set service ssh mac 'umac-128-etm@openssh.com'

phillipmcmahon · March 2, 2021, 7:04am

If you want to stay compliant with mozilla-modern, this is the config you should use

set service ssh ciphers 'chacha20-poly1305@openssh.com'
set service ssh ciphers 'aes256-gcm@openssh.com'
set service ssh ciphers 'aes128-gcm@openssh.com'
set service ssh ciphers 'aes256-ctr'
set service ssh ciphers 'aes192-ctr'
set service ssh ciphers 'aes128-ctr'

set service ssh disable-password-authentication

set service ssh key-exchange 'curve25519-sha256@libssh.org'
set service ssh key-exchange 'ecdh-sha2-nistp521'
set service ssh key-exchange 'ecdh-sha2-nistp384'
set service ssh key-exchange 'ecdh-sha2-nistp256'
set service ssh key-exchange 'diffie-hellman-group-exchange-sha256'

set service ssh mac 'hmac-sha2-512-etm@openssh.com'
set service ssh mac 'hmac-sha2-256-etm@openssh.com'
set service ssh mac 'umac-128-etm@openssh.com'
set service ssh mac 'hmac-sha2-512'
set service ssh mac 'hmac-sha2-256'
set service ssh mac 'umac-128@openssh.com'

sinaowolabi · May 25, 2021, 8:05am

I am so very sorry.
It was a different device at the end of the IP, not the VyOS.
My colleagues had moved the IP to a Sophos device, and the IP was mapped to its HA port.

system · May 27, 2021, 8:05am

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.