IPSec bug with PFS Key group?



  • Hello guys,

    we ran into problems with the latest 2.2/2.2.1 releases not beeing able to connect to a remote side where the phase 2 pfs key group was set.
    Checking /var/etc/ipsec.conf revealed that the esp setting in the config was not beeing written correctly. The pfs/modp part was missing completely.

    I checked /etc/inc/vpn.inc and found line 850:

    
    if (isset($a_client['pfs_group']))
        $ph2ent['pfsgroup'] = $a_client['pfs_group'];
    
    

    The form post value is actually pfsgroup, not pfs_group.
    Changing it to:

    
    if (isset($a_client['pfsgroup']))
        $ph2ent['pfsgroup'] = $a_client['pfsgroup'];
    
    

    wrote the correct ipsec.conf and the connection worked after that.

    Is that a bug? Should and can I submit this somewhere?

    Sebastian


  • Administrator

    It's confusing but parameter is called pfs_group on <client>and pfsgroup on <phase2>. Can you share a sanitized version of your config.xml?</phase2></client>



  • Can you clairfy this a bit since i do not see any issue there!
    The code is correct there from what i can tell but what does work for you after changing it.



  • Sorry for late reply. Was out of town for two days. Thanks for your quick replies!

    ipsec.conf before fix:

    
    # This file is automatically generated. Do not edit
    config setup
        uniqueids = yes
        charondebug="dmn 2,mgr 2,ike 2,chd 2,job 2,net 2,esp 2,lib 2"
    
    conn con1000
        reqid = 1
        fragmentation = yes
        keyexchange = ikev1
        reauth = yes
        forceencaps = no
        mobike = no
        rekey = yes
        installpolicy = yes
        type = tunnel
        dpdaction = restart
        dpddelay = 10s
        dpdtimeout = 60s
        auto = route
        left = xxx.xxx.xxx.xxx
        right = xxx.xxx.xxx.xxx
        leftid = xxx.xxx.xxx.xxx
        ikelifetime = 28800s
        lifetime = 3600s
        ike = 3des-sha1-modp1024!
        esp = aes256-md5
        leftauth = psk
        rightauth = psk
        rightid = xxx.xxx.xxx.xxx
        aggressive = no
        rightsubnet = 100.64.13.160/29
        leftsubnet = 100.72.13.160/29
    

    After fix:

    
    # This file is automatically generated. Do not edit
    config setup
        uniqueids = yes
        charondebug="dmn 2,mgr 2,ike 2,chd 2,job 2,net 2,esp 2,lib 2"
    
    conn con1000
        reqid = 1
        fragmentation = yes
        keyexchange = ikev1
        reauth = yes
        forceencaps = no
        mobike = no
        rekey = yes
        installpolicy = yes
        type = tunnel
        dpdaction = restart
        dpddelay = 10s
        dpdtimeout = 60s
        auto = route
        left = xxx.xxx.xxx.xxx
        right = xxx.xxx.xxx.xxx
        leftid = xxx.xxx.xxx.xxx
        ikelifetime = 28800s
        lifetime = 3600s
        ike = 3des-sha1-modp1024!
        esp = aes256-md5-modp1024!
        leftauth = psk
        rightauth = psk
        rightid = xxx.xxx.xxx.xxx
        aggressive = no
        rightsubnet = 100.64.13.160/29
        leftsubnet = 100.72.13.160/29
    

    please note the esp = line.  Maybe it's a configuration thing but after changing the post name in the source the file was beeing generated correctly. Before it was not.

    Sanitized config attached.

    config.txt



  • Hi taenzerme,

    i have a fresh installed 2.2
    There are some IPsec issues, but my ipsec.conf has at esp the appropriate modp setting.
    esp = 3des-sha1-modp1536!

    Does this only assing to modp1024?

    best regards
    thomas



  • Thomas,

    ours are 2.1 upgraded to 2.2 and it happens with alle modp settings - they're missing completely.
    Changing the form name value for the field works at least for us.

    I did not have the time to test with a fresh install but will do later.



  • The root cause of that issue is https://redmine.pfsense.org/issues/4538 which is fixed for 2.2.2.


Log in to reply