AES-256 for mobile clients broken in 1.2.3 ??



  • Having several successful 1.2.3-RC1 full installs going I have delved into imbedded with 1.2.3 Release.

    I see between these releases that configuration for AES encryption has changed to AES-256

    Running to support Mobile clients I cannot get AES-256 to come up in phase2.  Enabling DES etc comes straight up.

    For AES-256 at the server end (imbedded 2G images) creates a few pfkey errors INVALID argument and no entries are put in the SAD database. At the client end (FULL install) all is well and SAD entries are created with no errors seen.

    Has anyone else seen this?

    Thanks



  • Just to clarify this issue using AES-256 for phase 2 DOES NOT WORK

    When used between two pfsense 1.3 installs and also between a pfsense release 1.3 and IPSecuritas as road warrior.

    The remote end appears to come up and install IPSEC SA but the pfsense end appears to agree phase 2 negotiation of AES 256 but is unable to apply the configuration reporting instead INVALID argument.

    If I change my remote clients to use AES-128 in the second phase all is well.

    I suggest this could simply be the difference between AES 256 and AES-256 but can't see any further with debug.

    The pfsense mobile-client "server" reports the folllowing;

    DEBUG: pk_recv: retry[0] recv()
    2010-04-12 13:20:36: DEBUG: get pfkey UPDATE message
    2010-04-12 13:20:36: ERROR: pfkey UPDATE failed: Invalid argument
    2010-04-12 13:20:36: DEBUG: pk_recv: retry[0] recv()
    2010-04-12 13:20:36: DEBUG: get pfkey ADD message
    2010-04-12 13:20:36: ERROR: pfkey ADD failed: Invalid argument
    2010-04-12 13:20:36: DEBUG: pk_recv: retry[0] recv()
    2010-04-12 13:20:36: DEBUG: get pfkey X_SPDUPDATE message



  • This time including IPSEC configs

    Pfsense 1.3 imbedded

    Phase 1 Proposal
    negotiation > main
    identifier > My IP address
    enc alg > AES-256
    hash alg > SHA1
    DH grp > 1
    DPD
    Lifetime 1800
    Auth Method > RSA Sig
    cert > present
    Key > present

    Phase 2 Proposal
    Protocol > ESP
    Encr alg > AES-256
    Hash Alg > SHA1
    PFS Key Grp > 2
    Lifetime 1800

    IPSecuritas

    Phase1
    Life > 1800
    DH Grp > 768 (1)
    Enc > AES 256
    Auth > SHA-1
    Exch > Main
    Proposal Check > Obey
    Nonce Size > 16

    Phase 2
    LIfetime > 1800
    PFS Grp > 1024 (2)
    Encrp > AES 256 AES 192 AES 128
    Auth > HMAC SHA-1

    ID

    Local > Cert
    Remote > Address

    Auth Method : Certificates


Log in to reply