Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    AES-256 for mobile clients broken in 1.2.3 ??

    IPsec
    1
    3
    2.4k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      robbo
      last edited by

      Having several successful 1.2.3-RC1 full installs going I have delved into imbedded with 1.2.3 Release.

      I see between these releases that configuration for AES encryption has changed to AES-256

      Running to support Mobile clients I cannot get AES-256 to come up in phase2.  Enabling DES etc comes straight up.

      For AES-256 at the server end (imbedded 2G images) creates a few pfkey errors INVALID argument and no entries are put in the SAD database. At the client end (FULL install) all is well and SAD entries are created with no errors seen.

      Has anyone else seen this?

      Thanks

      1 Reply Last reply Reply Quote 0
      • R
        robbo
        last edited by

        Just to clarify this issue using AES-256 for phase 2 DOES NOT WORK

        When used between two pfsense 1.3 installs and also between a pfsense release 1.3 and IPSecuritas as road warrior.

        The remote end appears to come up and install IPSEC SA but the pfsense end appears to agree phase 2 negotiation of AES 256 but is unable to apply the configuration reporting instead INVALID argument.

        If I change my remote clients to use AES-128 in the second phase all is well.

        I suggest this could simply be the difference between AES 256 and AES-256 but can't see any further with debug.

        The pfsense mobile-client "server" reports the folllowing;

        DEBUG: pk_recv: retry[0] recv()
        2010-04-12 13:20:36: DEBUG: get pfkey UPDATE message
        2010-04-12 13:20:36: ERROR: pfkey UPDATE failed: Invalid argument
        2010-04-12 13:20:36: DEBUG: pk_recv: retry[0] recv()
        2010-04-12 13:20:36: DEBUG: get pfkey ADD message
        2010-04-12 13:20:36: ERROR: pfkey ADD failed: Invalid argument
        2010-04-12 13:20:36: DEBUG: pk_recv: retry[0] recv()
        2010-04-12 13:20:36: DEBUG: get pfkey X_SPDUPDATE message

        1 Reply Last reply Reply Quote 0
        • R
          robbo
          last edited by

          This time including IPSEC configs

          Pfsense 1.3 imbedded

          Phase 1 Proposal
          negotiation > main
          identifier > My IP address
          enc alg > AES-256
          hash alg > SHA1
          DH grp > 1
          DPD
          Lifetime 1800
          Auth Method > RSA Sig
          cert > present
          Key > present

          Phase 2 Proposal
          Protocol > ESP
          Encr alg > AES-256
          Hash Alg > SHA1
          PFS Key Grp > 2
          Lifetime 1800

          IPSecuritas

          Phase1
          Life > 1800
          DH Grp > 768 (1)
          Enc > AES 256
          Auth > SHA-1
          Exch > Main
          Proposal Check > Obey
          Nonce Size > 16

          Phase 2
          LIfetime > 1800
          PFS Grp > 1024 (2)
          Encrp > AES 256 AES 192 AES 128
          Auth > HMAC SHA-1

          ID

          Local > Cert
          Remote > Address

          Auth Method : Certificates

          1 Reply Last reply Reply Quote 0
          • First post
            Last post