Project

General

Profile

Feature #4683

Support for elliptic curve for IPsec on webconfigurator

Added by Lars Pedersen about 4 years ago. Updated about 4 years ago.

Status:
Resolved
Priority:
High
Category:
IPsec
Target version:
Start date:
05/07/2015
Due date:
% Done:

0%

Estimated time:

Description

In pfSense 2.2.2 strongswan runs with version 5.3.0 and it looks like it supports elliptic curves in the dh-group:

[2.2.2-RELEASE][]/root: ipsec listalgs

List of registered IKE algorithms:

encryption: AES_CBC[aes] 3DES_CBC[des] DES_CBC[des] DES_ECB[des] BLOWFISH_CBC[blowfish] RC2_CBC[rc2]
CAMELLIA_CBC[openssl] RC5_CBC[openssl] CAST_CBC[openssl] IDEA_CBC[openssl] NULL[openssl]
integrity: HMAC_MD5_96[openssl] HMAC_MD5_128[openssl] HMAC_SHA1_96[openssl] HMAC_SHA1_128[openssl]
HMAC_SHA1_160[openssl] HMAC_SHA2_256_128[openssl] HMAC_SHA2_256_256[openssl] HMAC_SHA2_384_192[openssl]
HMAC_SHA2_384_384[openssl] HMAC_SHA2_512_256[openssl] HMAC_SHA2_512_512[openssl] CAMELLIA_XCBC_96[xcbc]
AES_XCBC_96[xcbc] AES_CMAC_96[cmac]
aead: AES_GCM_8[openssl] AES_GCM_12[openssl] AES_GCM_16[openssl]
hasher: HASH_SHA1[sha1] HASH_SHA224[sha2] HASH_SHA256[sha2] HASH_SHA384[sha2] HASH_SHA512[sha2] HASH_MD4[md4]
HASH_MD5[md5]
prf: PRF_KEYED_SHA1[sha1] PRF_HMAC_MD5[openssl] PRF_HMAC_SHA1[openssl] PRF_HMAC_SHA2_256[openssl]
PRF_HMAC_SHA2_384[openssl] PRF_HMAC_SHA2_512[openssl] PRF_FIPS_SHA1_160[fips-prf] PRF_AES128_XCBC[xcbc]
PRF_CAMELLIA128_XCBC[xcbc] PRF_AES128_CMAC[cmac]
dh-group: MODP_2048[openssl] MODP_2048_224[openssl] MODP_2048_256[openssl] MODP_1536[openssl] MODP_3072[openssl]
MODP_4096[openssl] MODP_6144[openssl] MODP_8192[openssl] MODP_1024[openssl] MODP_1024_160[openssl]
MODP_768[openssl] MODP_CUSTOM[openssl] ECP_256[openssl] ECP_384[openssl] ECP_521[openssl] ECP_224[openssl]
ECP_192[openssl] ECP_224_BP[openssl] ECP_256_BP[openssl] ECP_384_BP[openssl] ECP_512_BP[openssl]
random-gen: RNG_WEAK[openssl] RNG_STRONG[random] RNG_TRUE[random]
nonce-gen: [nonce]
[2.2.2-RELEASE][]/root:

By looking at strongswans cipher suites it is the NIST Elliptic Curve Groups and Brainpool Elliptic Curve Groups that is missing in the webconfigurator.

https://wiki.strongswan.org/projects/strongswan/wiki/IKEv2CipherSuites

Associated revisions

Revision 7dc35024 (diff)
Added by Ermal Luçi about 4 years ago

Ticket #4683 merge in brainpool for DH parameters

History

#2 Updated by Chris Buechler about 4 years ago

  • Status changed from New to Feedback
  • Assignee set to Chris Buechler
  • Target version set to 2.2.3

#3 Updated by Chris Buechler about 4 years ago

  • Status changed from Feedback to Resolved

confirmed. Thanks!

#4 Updated by Lars Pedersen about 4 years ago

Chris Buechler wrote:

confirmed. Thanks!

Can see that you have set the target version to 2.2.3. Will you cherry pick this patch to RELENG_2_2?

#5 Updated by Ermal Luçi about 4 years ago

It is already in 2.2.3 since the merge.
I merged it manually.

#6 Updated by Lars Pedersen about 4 years ago

Ermal Luçi wrote:

It is already in 2.2.3 since the merge.
I merged it manually.

I'm still not convinced that it has been merged since ”brainpool” is nowhere to be found in:
https://github.com/pfsense/pfsense/blob/RELENG_2_2/etc/inc/ipsec.inc

Besides the ipsec.inc file last update was 2 months ago.

#7 Updated by Ermal Luçi about 4 years ago

Merged.

#8 Updated by Lars Pedersen about 4 years ago

Can see that you have only merged parts of the 1649 pull request. Things like IPsec phase 1 is missing AES GCM support and the function vpn_ipsec_convert_to_modp has not been updated too. So the current snapshot is broken with the new functionalities.

So will you be kind to do a fully merge of the given pull request :)

#9 Updated by Chris Buechler about 4 years ago

  • Target version changed from 2.2.3 to 2.3

Thanks for the heads up, Lars. We're short on time for 2.2.3, plus don't generally put features into maintenance releases, so I reverted the partial incorrect merge. 2.3 isn't too far into the future.

Also available in: Atom PDF