IPSec bug with PFS Key group?
-
Hello guys,
we ran into problems with the latest 2.2/2.2.1 releases not beeing able to connect to a remote side where the phase 2 pfs key group was set.
Checking /var/etc/ipsec.conf revealed that the esp setting in the config was not beeing written correctly. The pfs/modp part was missing completely.I checked /etc/inc/vpn.inc and found line 850:
if (isset($a_client['pfs_group'])) $ph2ent['pfsgroup'] = $a_client['pfs_group'];
The form post value is actually pfsgroup, not pfs_group.
Changing it to:if (isset($a_client['pfsgroup'])) $ph2ent['pfsgroup'] = $a_client['pfsgroup'];
wrote the correct ipsec.conf and the connection worked after that.
Is that a bug? Should and can I submit this somewhere?
Sebastian
-
It's confusing but parameter is called pfs_group on <client>and pfsgroup on <phase2>. Can you share a sanitized version of your config.xml?</phase2></client>
-
Can you clairfy this a bit since i do not see any issue there!
The code is correct there from what i can tell but what does work for you after changing it. -
Sorry for late reply. Was out of town for two days. Thanks for your quick replies!
ipsec.conf before fix:
# This file is automatically generated. Do not edit config setup uniqueids = yes charondebug="dmn 2,mgr 2,ike 2,chd 2,job 2,net 2,esp 2,lib 2" conn con1000 reqid = 1 fragmentation = yes keyexchange = ikev1 reauth = yes forceencaps = no mobike = no rekey = yes installpolicy = yes type = tunnel dpdaction = restart dpddelay = 10s dpdtimeout = 60s auto = route left = xxx.xxx.xxx.xxx right = xxx.xxx.xxx.xxx leftid = xxx.xxx.xxx.xxx ikelifetime = 28800s lifetime = 3600s ike = 3des-sha1-modp1024! esp = aes256-md5 leftauth = psk rightauth = psk rightid = xxx.xxx.xxx.xxx aggressive = no rightsubnet = 100.64.13.160/29 leftsubnet = 100.72.13.160/29
After fix:
# This file is automatically generated. Do not edit config setup uniqueids = yes charondebug="dmn 2,mgr 2,ike 2,chd 2,job 2,net 2,esp 2,lib 2" conn con1000 reqid = 1 fragmentation = yes keyexchange = ikev1 reauth = yes forceencaps = no mobike = no rekey = yes installpolicy = yes type = tunnel dpdaction = restart dpddelay = 10s dpdtimeout = 60s auto = route left = xxx.xxx.xxx.xxx right = xxx.xxx.xxx.xxx leftid = xxx.xxx.xxx.xxx ikelifetime = 28800s lifetime = 3600s ike = 3des-sha1-modp1024! esp = aes256-md5-modp1024! leftauth = psk rightauth = psk rightid = xxx.xxx.xxx.xxx aggressive = no rightsubnet = 100.64.13.160/29 leftsubnet = 100.72.13.160/29
please note the esp = line. Maybe it's a configuration thing but after changing the post name in the source the file was beeing generated correctly. Before it was not.
Sanitized config attached.
-
Hi taenzerme,
i have a fresh installed 2.2
There are some IPsec issues, but my ipsec.conf has at esp the appropriate modp setting.
esp = 3des-sha1-modp1536!Does this only assing to modp1024?
best regards
thomas -
Thomas,
ours are 2.1 upgraded to 2.2 and it happens with alle modp settings - they're missing completely.
Changing the form name value for the field works at least for us.I did not have the time to test with a fresh install but will do later.
-
The root cause of that issue is https://redmine.pfsense.org/issues/4538 which is fixed for 2.2.2.