pfSense

FreeBSD removed support for several obsolete ciphers from its IPsec stack. See https://cgit.freebsd.org/src/commit/?id=16aabb761c0a8e5fb120594fcce4f2bf79fad61e

The relevant removed entries appear to be

• 3DES
• Blowfish
• Cast128
• MD5 HMAC authentication.

We need to remove these from the the IPsec GUI and add upgrade code to disable any tunnels using them and document this removal for users.

NOTE: The MD5 variants removed here should not affect FRR/BGP. From the look of the FreeBSD source code, tcp-md5 remains in place and that's what is used by FRR.

These changes are mostly implemented now by Kristof, from MR https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/915 (f9cfd6bc0c3674382a87fe07ba00a3a5365c1744, ee9bbad1ce23989515dfb061ef087180c0514cb8, 807e91174169614c7f5402d66de88f924a48febd)

In addition to the current code, I'm going to try a more fine-grained approach where instead of disabling entire entries it only disables or skips entries with deprecated ciphers. If there are none left, then the whole P1/P2 can be disabled. This would be smoother for the user since they may need the IPsec tunnel to manage the router and it may not actually be using the outdated ciphers.

What we have in place is good enough for a start, though, I'll work on refining it and see how that goes.