Bug #10734
closedPFsense don't use wrong proposals
0%
Description
Hello.
I use pfsense + miktorik
Configured IPSec (v1):
phase 1 int L2TP 10.100.0.132 main 3DES SHA1 2 (1024 bit)
phase 2 tunnel 192.168.10.0/24 192.168.0.0/24 ESP 3DES SHA1 2 (1024 bit)
But in logs I see that pfsense selecting wrong proposales and ipsec don't works:
Jul 7 08:17:50 charon 13[CFG] <1> selecting proposal:
Jul 7 08:17:50 charon 13[CFG] <1> no acceptable DIFFIE_HELLMAN_GROUP found
Jul 7 08:17:50 charon 13[CFG] <1> selecting proposal:
Jul 7 08:17:50 charon 13[CFG] <1> no acceptable ENCRYPTION_ALGORITHM found
Jul 7 08:17:50 charon 13[CFG] <1> received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jul 7 08:17:50 charon 13[CFG] <1> configured proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
2.4.5-RELEASE-p1 (amd64)
built on Tue Jun 02 17:51:17 EDT 2020
FreeBSD 11.3-STABLE
Updated by Jim Pingle over 4 years ago
- Category set to IPsec
- Status changed from New to Rejected
It must be in your settings but there is not nearly enough information to say for sure.
This site is not for support or diagnostic discussion.
For assistance in solving problems, please post on the Netgate Forum or the pfSense Subreddit .
See Reporting Issues with pfSense Software for more information.
Updated by Petr H almost 4 years ago
Same issue here.
P1 settings:
AES, 256 bits, SHA1, DH group 2 (1024 bit)
AES, 256 bits, SHA256, DH group 2 (1024 bit)
/var/etc/ipsec/ipsec.conf
# This file is automatically generated. Do not edit config setup uniqueids = yes conn bypasslan leftsubnet = (removed) rightsubnet = (removed) authby = never type = passthrough auto = route conn con-mobile fragmentation = yes keyexchange = ike reauth = yes forceencaps = no mobike = no rekey = yes installpolicy = yes type = transport dpdaction = clear dpddelay = 10s dpdtimeout = 60s auto = add left = %any right = %any leftid = (removed) ikelifetime = 28800s lifetime = 3600s ike = aes256-sha1-modp1024,aes256-sha256-modp1024! esp = aes256-sha1,aes256-sha256,aes192-sha1,aes192-sha256,aes128-sha1,aes128-sha256! leftauth = psk rightauth = psk aggressive = no
First the following is logged:
charon: 06[CFG] ike=aes256-sha1-modp1024,aes256-sha256-modp1024!
Which matches the configuration.
But a little later:
charon: 07[CFG] <126> configured proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
And this is wrong and I haven't figured out how to alter this to include the MODP_1024 (DH group 2) in there.
I consider it being a bug as there isn't much to do in the configuration and the 1st logged list of proposal is correct.
If this bug isn't reopened I'll open a new one for the same thing.
Note: Several other people with the same issue can be found in Netgate forums, Reddit and other places. No solution is provided anywhere.