Feature #4683
closedSupport for elliptic curve for IPsec on webconfigurator
0%
Description
In pfSense 2.2.2 strongswan runs with version 5.3.0 and it looks like it supports elliptic curves in the dh-group:
[2.2.2-RELEASE][admin@pfSense.localdomain]/root: ipsec listalgs
List of registered IKE algorithms:
encryption: AES_CBC[aes] 3DES_CBC[des] DES_CBC[des] DES_ECB[des] BLOWFISH_CBC[blowfish] RC2_CBC[rc2]
CAMELLIA_CBC[openssl] RC5_CBC[openssl] CAST_CBC[openssl] IDEA_CBC[openssl] NULL[openssl]
integrity: HMAC_MD5_96[openssl] HMAC_MD5_128[openssl] HMAC_SHA1_96[openssl] HMAC_SHA1_128[openssl]
HMAC_SHA1_160[openssl] HMAC_SHA2_256_128[openssl] HMAC_SHA2_256_256[openssl] HMAC_SHA2_384_192[openssl]
HMAC_SHA2_384_384[openssl] HMAC_SHA2_512_256[openssl] HMAC_SHA2_512_512[openssl] CAMELLIA_XCBC_96[xcbc]
AES_XCBC_96[xcbc] AES_CMAC_96[cmac]
aead: AES_GCM_8[openssl] AES_GCM_12[openssl] AES_GCM_16[openssl]
hasher: HASH_SHA1[sha1] HASH_SHA224[sha2] HASH_SHA256[sha2] HASH_SHA384[sha2] HASH_SHA512[sha2] HASH_MD4[md4]
HASH_MD5[md5]
prf: PRF_KEYED_SHA1[sha1] PRF_HMAC_MD5[openssl] PRF_HMAC_SHA1[openssl] PRF_HMAC_SHA2_256[openssl]
PRF_HMAC_SHA2_384[openssl] PRF_HMAC_SHA2_512[openssl] PRF_FIPS_SHA1_160[fips-prf] PRF_AES128_XCBC[xcbc]
PRF_CAMELLIA128_XCBC[xcbc] PRF_AES128_CMAC[cmac]
dh-group: MODP_2048[openssl] MODP_2048_224[openssl] MODP_2048_256[openssl] MODP_1536[openssl] MODP_3072[openssl]
MODP_4096[openssl] MODP_6144[openssl] MODP_8192[openssl] MODP_1024[openssl] MODP_1024_160[openssl]
MODP_768[openssl] MODP_CUSTOM[openssl] ECP_256[openssl] ECP_384[openssl] ECP_521[openssl] ECP_224[openssl]
ECP_192[openssl] ECP_224_BP[openssl] ECP_256_BP[openssl] ECP_384_BP[openssl] ECP_512_BP[openssl]
random-gen: RNG_WEAK[openssl] RNG_STRONG[random] RNG_TRUE[random]
nonce-gen: [nonce]
[2.2.2-RELEASE][admin@pfSense.localdomain]/root:
By looking at strongswans cipher suites it is the NIST Elliptic Curve Groups and Brainpool Elliptic Curve Groups that is missing in the webconfigurator.
https://wiki.strongswan.org/projects/strongswan/wiki/IKEv2CipherSuites
Updated by Lars Pedersen over 9 years ago
Can be closed: Solved with https://github.com/pfsense/pfsense/pull/1649
Updated by Chris Buechler over 9 years ago
- Status changed from New to Feedback
- Assignee set to Chris Buechler
- Target version set to 2.2.3
Updated by Chris Buechler over 9 years ago
- Status changed from Feedback to Resolved
confirmed. Thanks!
Updated by Lars Pedersen over 9 years ago
Chris Buechler wrote:
confirmed. Thanks!
Can see that you have set the target version to 2.2.3. Will you cherry pick this patch to RELENG_2_2?
Updated by Ermal Luçi over 9 years ago
It is already in 2.2.3 since the merge.
I merged it manually.
Updated by Lars Pedersen over 9 years ago
Ermal Luçi wrote:
It is already in 2.2.3 since the merge.
I merged it manually.
I'm still not convinced that it has been merged since ”brainpool” is nowhere to be found in:
https://github.com/pfsense/pfsense/blob/RELENG_2_2/etc/inc/ipsec.inc
Besides the ipsec.inc file last update was 2 months ago.
Updated by Lars Pedersen over 9 years ago
Can see that you have only merged parts of the 1649 pull request. Things like IPsec phase 1 is missing AES GCM support and the function vpn_ipsec_convert_to_modp has not been updated too. So the current snapshot is broken with the new functionalities.
So will you be kind to do a fully merge of the given pull request :)
Updated by Chris Buechler over 9 years ago
- Target version changed from 2.2.3 to 2.3
Thanks for the heads up, Lars. We're short on time for 2.2.3, plus don't generally put features into maintenance releases, so I reverted the partial incorrect merge. 2.3 isn't too far into the future.