pfSense » pfSense Plus

I can't reproduce this here. I see the config.xml tag <prf-algorithm>sha256</prf-algorithm> but it does not get put into swanctl.conf.

The code already checks the value of the other conditional setting:

                if ($ph1ent['prfselect_enable'] != 'yes') {
                    $p1enc['prf-algorithm'] = false;
                }

My tunnel config has:

            <encryption>
                <item>
                    <encryption-algorithm>
                        <name>aes128gcm</name>
                        <keylen>128</keylen>
                    </encryption-algorithm>
                    <hash-algorithm>aesxcbc</hash-algorithm>
                    <prf-algorithm>sha256</prf-algorithm>
                    <dhgroup>14</dhgroup>
                </item>
            </encryption>

And in the resulting swanctl.conf there is no -prf<algo> string in the P1 proposal:

        proposals = aes128gcm128-aesxcbc-modp2048

So if you can reproduce the condition where it is interfering, we will need to see more of the problem configuration.

If the problem exists as you state, the proposal would look like this:

        proposals = aes128gcm128-aesxcbc-prfsha256-modp2048

But the only way I can get that result is to check the PRF Selection box in P1.

If I check it the PRF is used, if I uncheck it the PRF is ignored, which is exactly the expected behavior.

OK, if we can find a way to reproduce it on another system, we can always reopen it later with the exact conditions and procedure.