Michael Tremer

Feature Highlights IPFire 2.15 #3: VPN Ciphers
by Michael Tremer, January 7, 2014

As we are laying a lot of focus on the VPN functionality of IPFire, we did some changes on the ciphers that are used for IPsec and OpenVPN.

IPsec

Some additional algorithms for encryption and the key exchange have been added.

Camellia

IPsec allows using the Camellia cipher that has been developed by Mitsubishi and NTT Japan. Performance and security-wise, it is very similar to AES. It supports keys of different lengths up to 256 bits.

Brainpool Elliptic Curves

As an alternative to the earlier introduced elliptic curves that were specified by NIST, more elliptic curves have been added. Those curves are standardized in RFC 5639 by Merkle and Jochter who work for Bundesamt für Sicherheit in der Informationstechnik (BSI) and secunet Security Networks.

With those two additions, it is possible to use cryptography that has not been standardized by an American government institution.

OpenVPN

On new installations, the default algorithm for roadwarrior networks is now AES-256-CBC. The former one was Blowfish, which has very good performance, but we think that we should always go for better security if feasible. The hardware most of you are using for IPFire is well capable of using latest ciphers.

OpenVPN is now also able to use the Camellia cipher.


Posted: January 7, 2014 • 966 views