is there any changes made to ipsec in 2.7 beta so it can't connect to a 2.6 site?

seanr22a

I've been running Pfsense 2.6 since it got released at two sites. I use ipsec to connect the two sites and it have been working perfect until today when I got the stupid idea to give 2.7(beta 2.7.0.a.20220603.1431) a try at one of the sites. I'm well aware that it is a beta so if it's not possible to solve the problem I just go back to 2.6

I just did an update nothing else and now I can't get a connection between the two sites. This is the ipsec log, there is two lines I've not seen before about PRF_UNDERFINED and key derivation failed. Is there changes made to 2.7 that require me to run same version at both sites ?

Jun 5 21:26:08 charon 58673 09[IKE] <1670> IKE_SA (unnamed)[1670] state change: CONNECTING => DESTROYING
Jun 5 21:26:08 charon 58673 09[NET] <1670> sending packet: from 213.114.226.185[500] to 78.82.16.150[500] (36 bytes)
Jun 5 21:26:08 charon 58673 09[ENC] <1670> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Jun 5 21:26:08 charon 58673 09[IKE] <1670> key derivation failed
Jun 5 21:26:08 charon 58673 09[IKE] <1670> KDF_PRF with PRF_UNDEFINED not supported
Jun 5 21:26:08 charon 58673 09[CFG] <1670> received supported signature hash algorithms: sha256 sha384 sha512 identity
Jun 5 21:26:08 charon 58673 09[CFG] <1670> selected proposal: IKE:AES_GCM_16_256/PRF_AES128_XCBC/MODP_3072
Jun 5 21:26:08 charon 58673 09[CFG] <1670> configured proposals: IKE:AES_GCM_16_256/PRF_AES128_XCBC/MODP_3072
Jun 5 21:26:08 charon 58673 09[CFG] <1670> received proposals: IKE:AES_GCM_16_256/PRF_AES128_XCBC/MODP_3072
Jun 5 21:26:08 charon 58673 09[CFG] <1670> proposal matches
Jun 5 21:26:08 charon 58673 09[CFG] <1670> selecting proposal:

ThatGuy 0

I briefly updated to 2.7 yesterday and noticed that it broke IPSec (at least my configuration, which uses EAP-TLS). Reverted back to 2.6 and the same config started working again. Just chiming in.

Cheers

jimp

There aren't any changes that should impact that. PRF is a pseudo-random function which is usually selected automatically based on the chosen hash but can be selected manually.

What exactly do you have chosen for both P1 and P2 encryption? (the encryption algorithm, hash, dh/pfs, and PRF if you picked one)

jimp

Based on your logs it looks like you are using AES-XCBC as your P1 hash/PRF which is something we stopped recommending because it's problematic in general: https://redmine.pfsense.org/issues/12471

Though nothing specific I'm aware of changed with support for that, it's worth updating your tunnels to use a different hash.

jimp

For what it's worth I checked several tunnels in my lab between 22.05/2.7.0 snapshots and older releases, including 2.6.0, 22.01, and 2.5.2 and they all worked fine. I don't have any left set on AES-XCBC, though.

jimp

Searching the error turns up this, which also suggests it's due to using AES-XCBC: https://bytemeta.vip/repo/strongswan/strongswan/issues/1026

ThatGuy 0

I'm using SHA512 and 2.7 broke IPSec. I didn't do much troubleshooting and reverted back to 2.6 where the same config immediately started working again, so I don't really have much to contribute. But if it's the same issue, it would be related to something else.

I was able to connect to the VPN but no traffic would flow (local or internet).

Cheers

jimp

@thatguy-0 said in is there any changes made to ipsec in 2.7 beta so it can't connect to a 2.6 site?:

I'm using SHA512 and 2.7 broke IPSec. I didn't do much troubleshooting and reverted back to 2.6 where the same config immediately started working again, so I don't really have much to contribute. But if it's the same issue, it would be related to something else.

I was able to connect to the VPN but no traffic would flow (local or internet).

That sounds like a completely different issue than the one described here, and we'd need a lot more detail (in a separate thread) to speculate about what might have happened.

seanr22a

@jimp said in is there any changes made to ipsec in 2.7 beta so it can't connect to a 2.6 site?:

AES-XCBC as your P1

That was it !

I changed to AES256-GCM/SHA256 for P1 and AES256-GCM for P2 and now it's working. Strange that my old AES-XCBC setup has been working for so long time with 2.6.

Many thanks for your suggestion

jimp

@seanr22a said in is there any changes made to ipsec in 2.7 beta so it can't connect to a 2.6 site?:

@jimp said in is there any changes made to ipsec in 2.7 beta so it can't connect to a 2.6 site?:

AES-XCBC as your P1

That was it !

I changed to AES256-GCM/SHA256 for P1 and AES256-GCM for P2 and now it's working. Strange that my old AES-XCBC setup has been working for so long time with 2.6.

Many thanks for your suggestion

In the past we used to recommend it as AES-XCBC could be accelerated on hardware like AES-NI, and since it was a PRF only it made sense to pair with GCM ciphers which already do their own hashing. But we've learned over time that it has other issues and compatibility problems so we adjusted the recommendations. Also hardware has caught up and common secure hashes like SHA256 can also be accelerated in some cases.