Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec bug with PFS Key group?

    Scheduled Pinned Locked Moved IPsec
    7 Posts 5 Posters 2.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      taenzerme
      last edited by

      Hello guys,

      we ran into problems with the latest 2.2/2.2.1 releases not beeing able to connect to a remote side where the phase 2 pfs key group was set.
      Checking /var/etc/ipsec.conf revealed that the esp setting in the config was not beeing written correctly. The pfs/modp part was missing completely.

      I checked /etc/inc/vpn.inc and found line 850:

      
      if (isset($a_client['pfs_group']))
          $ph2ent['pfsgroup'] = $a_client['pfs_group'];
      
      

      The form post value is actually pfsgroup, not pfs_group.
      Changing it to:

      
      if (isset($a_client['pfsgroup']))
          $ph2ent['pfsgroup'] = $a_client['pfsgroup'];
      
      

      wrote the correct ipsec.conf and the connection worked after that.

      Is that a bug? Should and can I submit this somewhere?

      Sebastian

      1 Reply Last reply Reply Quote 0
      • rbgargaR
        rbgarga Developer Netgate Administrator
        last edited by

        It's confusing but parameter is called pfs_group on <client>and pfsgroup on <phase2>. Can you share a sanitized version of your config.xml?</phase2></client>

        Renato Botelho

        1 Reply Last reply Reply Quote 0
        • E
          eri--
          last edited by

          Can you clairfy this a bit since i do not see any issue there!
          The code is correct there from what i can tell but what does work for you after changing it.

          1 Reply Last reply Reply Quote 0
          • T
            taenzerme
            last edited by

            Sorry for late reply. Was out of town for two days. Thanks for your quick replies!

            ipsec.conf before fix:

            
            # This file is automatically generated. Do not edit
            config setup
                uniqueids = yes
                charondebug="dmn 2,mgr 2,ike 2,chd 2,job 2,net 2,esp 2,lib 2"
            
            conn con1000
                reqid = 1
                fragmentation = yes
                keyexchange = ikev1
                reauth = yes
                forceencaps = no
                mobike = no
                rekey = yes
                installpolicy = yes
                type = tunnel
                dpdaction = restart
                dpddelay = 10s
                dpdtimeout = 60s
                auto = route
                left = xxx.xxx.xxx.xxx
                right = xxx.xxx.xxx.xxx
                leftid = xxx.xxx.xxx.xxx
                ikelifetime = 28800s
                lifetime = 3600s
                ike = 3des-sha1-modp1024!
                esp = aes256-md5
                leftauth = psk
                rightauth = psk
                rightid = xxx.xxx.xxx.xxx
                aggressive = no
                rightsubnet = 100.64.13.160/29
                leftsubnet = 100.72.13.160/29
            

            After fix:

            
            # This file is automatically generated. Do not edit
            config setup
                uniqueids = yes
                charondebug="dmn 2,mgr 2,ike 2,chd 2,job 2,net 2,esp 2,lib 2"
            
            conn con1000
                reqid = 1
                fragmentation = yes
                keyexchange = ikev1
                reauth = yes
                forceencaps = no
                mobike = no
                rekey = yes
                installpolicy = yes
                type = tunnel
                dpdaction = restart
                dpddelay = 10s
                dpdtimeout = 60s
                auto = route
                left = xxx.xxx.xxx.xxx
                right = xxx.xxx.xxx.xxx
                leftid = xxx.xxx.xxx.xxx
                ikelifetime = 28800s
                lifetime = 3600s
                ike = 3des-sha1-modp1024!
                esp = aes256-md5-modp1024!
                leftauth = psk
                rightauth = psk
                rightid = xxx.xxx.xxx.xxx
                aggressive = no
                rightsubnet = 100.64.13.160/29
                leftsubnet = 100.72.13.160/29
            

            please note the esp = line.  Maybe it's a configuration thing but after changing the post name in the source the file was beeing generated correctly. Before it was not.

            Sanitized config attached.

            config.txt

            1 Reply Last reply Reply Quote 0
            • S
              stegbth
              last edited by

              Hi taenzerme,

              i have a fresh installed 2.2
              There are some IPsec issues, but my ipsec.conf has at esp the appropriate modp setting.
              esp = 3des-sha1-modp1536!

              Does this only assing to modp1024?

              best regards
              thomas

              1 Reply Last reply Reply Quote 0
              • T
                taenzerme
                last edited by

                Thomas,

                ours are 2.1 upgraded to 2.2 and it happens with alle modp settings - they're missing completely.
                Changing the form name value for the field works at least for us.

                I did not have the time to test with a fresh install but will do later.

                1 Reply Last reply Reply Quote 0
                • C
                  cmb
                  last edited by

                  The root cause of that issue is https://redmine.pfsense.org/issues/4538 which is fixed for 2.2.2.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.