IPSec bug with PFS Key group?

taenzerme

Hello guys,

we ran into problems with the latest 2.2/2.2.1 releases not beeing able to connect to a remote side where the phase 2 pfs key group was set.
Checking /var/etc/ipsec.conf revealed that the esp setting in the config was not beeing written correctly. The pfs/modp part was missing completely.

I checked /etc/inc/vpn.inc and found line 850:

if (isset($a_client['pfs_group']))
    $ph2ent['pfsgroup'] = $a_client['pfs_group'];

The form post value is actually pfsgroup, not pfs_group.
Changing it to:

if (isset($a_client['pfsgroup']))
    $ph2ent['pfsgroup'] = $a_client['pfsgroup'];

wrote the correct ipsec.conf and the connection worked after that.

Is that a bug? Should and can I submit this somewhere?

Sebastian

rbgarga

It's confusing but parameter is called pfs_group on <client>and pfsgroup on <phase2>. Can you share a sanitized version of your config.xml?</phase2></client>

eri--

Can you clairfy this a bit since i do not see any issue there!
The code is correct there from what i can tell but what does work for you after changing it.

taenzerme

Sorry for late reply. Was out of town for two days. Thanks for your quick replies!

ipsec.conf before fix:

# This file is automatically generated. Do not edit
config setup
    uniqueids = yes
    charondebug="dmn 2,mgr 2,ike 2,chd 2,job 2,net 2,esp 2,lib 2"

conn con1000
    reqid = 1
    fragmentation = yes
    keyexchange = ikev1
    reauth = yes
    forceencaps = no
    mobike = no
    rekey = yes
    installpolicy = yes
    type = tunnel
    dpdaction = restart
    dpddelay = 10s
    dpdtimeout = 60s
    auto = route
    left = xxx.xxx.xxx.xxx
    right = xxx.xxx.xxx.xxx
    leftid = xxx.xxx.xxx.xxx
    ikelifetime = 28800s
    lifetime = 3600s
    ike = 3des-sha1-modp1024!
    esp = aes256-md5
    leftauth = psk
    rightauth = psk
    rightid = xxx.xxx.xxx.xxx
    aggressive = no
    rightsubnet = 100.64.13.160/29
    leftsubnet = 100.72.13.160/29

After fix:

# This file is automatically generated. Do not edit
config setup
    uniqueids = yes
    charondebug="dmn 2,mgr 2,ike 2,chd 2,job 2,net 2,esp 2,lib 2"

conn con1000
    reqid = 1
    fragmentation = yes
    keyexchange = ikev1
    reauth = yes
    forceencaps = no
    mobike = no
    rekey = yes
    installpolicy = yes
    type = tunnel
    dpdaction = restart
    dpddelay = 10s
    dpdtimeout = 60s
    auto = route
    left = xxx.xxx.xxx.xxx
    right = xxx.xxx.xxx.xxx
    leftid = xxx.xxx.xxx.xxx
    ikelifetime = 28800s
    lifetime = 3600s
    ike = 3des-sha1-modp1024!
    esp = aes256-md5-modp1024!
    leftauth = psk
    rightauth = psk
    rightid = xxx.xxx.xxx.xxx
    aggressive = no
    rightsubnet = 100.64.13.160/29
    leftsubnet = 100.72.13.160/29

please note the esp = line.  Maybe it's a configuration thing but after changing the post name in the source the file was beeing generated correctly. Before it was not.

Sanitized config attached.

config.txt

stegbth

Hi taenzerme,

i have a fresh installed 2.2
There are some IPsec issues, but my ipsec.conf has at esp the appropriate modp setting.
esp = 3des-sha1-modp1536!

Does this only assing to modp1024?

best regards
thomas

taenzerme

Thomas,

ours are 2.1 upgraded to 2.2 and it happens with alle modp settings - they're missing completely.
Changing the form name value for the field works at least for us.

I did not have the time to test with a fresh install but will do later.

cmb

The root cause of that issue is https://redmine.pfsense.org/issues/4538 which is fixed for 2.2.2.