Overview
The VPN Client or the "Active" side of the VPN Tunnel selects the cipher and the connection will be established if the peer/host supports the selected cipher.
We have two main change in this context:
- 9.2.8 VPN Client and the "Active" side of the VPN Tunnel drops blowfish support and only uses AES-GCM when starting a new connection.
- By default, 9.2.9 will have no blowfish support neither in VPN Client nor in the VPN Tunnel
To answer any question about VPN question one needs to know:
- Which cipher will be selected by the initiator( VPN Client or active side of the VPN Tunnel)
- Which cipher that other part supports?
- Only if there is a match then the connection will be established
Facts:
- 9.2.8 is backward compatible if it is a passive side ( VPN Server or passive side of VPN Tunnel )
- There is no cipher issue between 9.2.8 and 9.2.9/above (all uses AES)
- There will be no VPN connection between 9.2.9 and 9.2.7 and older (VPN Client or VPN Tunnel) unless Blowfish support is enabled in 9.2.9
How To Enable Blowfish Support in 9.2.9
- Login to Kerio Control via SSH or Console
- Go to /opt/kerio/winroute folder
- Run ./tinydbclient "Update VPN set AllowBlowfishCipher=1"
DISCLAIMER: We recommend to upgrade all software and not re-enable Blowfish. The above procedure should be done until all clients have been upgraded
Initiator Selected Cipher 9.2.7 Client Blowfish 9.2.8 Client AES-GCM 9.2.9 Client AES-GCM 9.2.7 Tunnel - Active Side Blowfish 9.2.8 Tunnel - Active Side AES-GCM 9.2.9 Tunnel - Active Side AES-GCM
Host Accepted Cipher 9.2.7 Tunnel - Active Side Blowfish 9.2.8 Tunnel - Active Side Blowfish/AES-GCM 9.2.9 Tunnel - Active Side AES-GCM
Host 9.2.7 Server or
Tunnel Passive Side 9.2.8 Server or
Tunnel Passive Side 9.2.9 Server or
Tunnel Passive SideInitiator 9.2.7 Client Yes Yes No 9.2.8 Client No Yes Yes 9.2.9 Client No Yes Yes 9.2.7 Tunnel Active Yes Yes No 9.2.8 Tunnel Active No Yes Yes 9.2.9 Tunnel Active No Yes Yes