Project

General

Profile

Actions
Copy link

Bug #10734

closed

PFsense don't use wrong proposals

Added by DeeZ A over 5 years ago. Updated over 4 years ago.

Status:
Rejected
Priority:
Normal
Assignee:
-
Category:
IPsec
Target version:
-
Start date:
07/06/2020
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
Affected Architecture:
amd64

Description

Hello.

I use pfsense + miktorik

Configured IPSec (v1):
phase 1 int L2TP 10.100.0.132 main 3DES SHA1 2 (1024 bit)
phase 2 tunnel 192.168.10.0/24 192.168.0.0/24 ESP 3DES SHA1 2 (1024 bit)

But in logs I see that pfsense selecting wrong proposales and ipsec don't works:

Jul 7 08:17:50     charon         13[CFG] <1> selecting proposal:
Jul 7 08:17:50     charon         13[CFG] <1> no acceptable DIFFIE_HELLMAN_GROUP found
Jul 7 08:17:50     charon         13[CFG] <1> selecting proposal:
Jul 7 08:17:50     charon         13[CFG] <1> no acceptable ENCRYPTION_ALGORITHM found
Jul 7 08:17:50     charon         13[CFG] <1> received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jul 7 08:17:50     charon         13[CFG] <1> configured proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048

2.4.5-RELEASE-p1 (amd64)
built on Tue Jun 02 17:51:17 EDT 2020
FreeBSD 11.3-STABLE

Actions
Copy link
 #1

Updated by Jim Pingle over 5 years ago

  • Category set to IPsec
  • Status changed from New to Rejected

It must be in your settings but there is not nearly enough information to say for sure.

This site is not for support or diagnostic discussion.

For assistance in solving problems, please post on the Netgate Forum or the pfSense Subreddit .

See Reporting Issues with pfSense Software for more information.

Actions
Copy link
 #2

Updated by Petr H over 4 years ago

Same issue here.

P1 settings:
AES, 256 bits, SHA1, DH group 2 (1024 bit)
AES, 256 bits, SHA256, DH group 2 (1024 bit)

/var/etc/ipsec/ipsec.conf

# This file is automatically generated. Do not edit
config setup
        uniqueids = yes

conn bypasslan
        leftsubnet = (removed)
        rightsubnet = (removed)
        authby = never
        type = passthrough
        auto = route

conn con-mobile
        fragmentation = yes
        keyexchange = ike
        reauth = yes
        forceencaps = no
        mobike = no

        rekey = yes
        installpolicy = yes
        type = transport
        dpdaction = clear
        dpddelay = 10s
        dpdtimeout = 60s

        auto = add
        left = %any
        right = %any
        leftid = (removed)
        ikelifetime = 28800s
        lifetime = 3600s
        ike = aes256-sha1-modp1024,aes256-sha256-modp1024!
        esp = aes256-sha1,aes256-sha256,aes192-sha1,aes192-sha256,aes128-sha1,aes128-sha256!
        leftauth = psk
        rightauth = psk
        aggressive = no

First the following is logged:
charon: 06[CFG]   ike=aes256-sha1-modp1024,aes256-sha256-modp1024!

Which matches the configuration.

But a little later:

charon: 07[CFG] <126> configured proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048

And this is wrong and I haven't figured out how to alter this to include the MODP_1024 (DH group 2) in there.

I consider it being a bug as there isn't much to do in the configuration and the 1st logged list of proposal is correct.
If this bug isn't reopened I'll open a new one for the same thing.

Note: Several other people with the same issue can be found in Netgate forums, Reddit and other places. No solution is provided anywhere.

Actions
Copy link

Also available in: Atom PDF